You Are Here : Forums Sunday, September 07, 2008
     
Activeworx.org Forums
 
  Forum  IDS Policy Mana...  IDS Policy Mana...  Sensor name - same policy
Previous Previous
 
Next Next
New Post 11/2/2007 8:38 PM
  paulr
21 posts
9th Level Poster


Sensor name - same policy 
I just ran into something that seems like it could be a problem but maybe there is something obvious I'm missing.

I want to put two sensors on the same policy. When they were independent each snort.conf contained a sensor_name=name variable that was sent to MySQL. Then I can tell which sensor is which in BASE.

Now that I'm using the same policy it is going to upload the same name to both sensors correct? Is there a way to get around that?

In BASE it numbers them....but I don't know from that number which is which aside from the fact that I know which one was added first...

Anyway...just wondering if the different sensor names can remain somehow and I've got too many windows open to think straight so I'm hoping someone has the answer. :-)

Thanks.
 
New Post 11/2/2007 8:46 PM
  Jeff Dell
233 posts
www.activeworx.com
1st Level Poster


Re: Sensor name - same policy 

You can use a variable name for the sensor name in the database output module.. do the following:

 

1. Create a variable in the policy called sensorname = <default name>

2. In the dB output put $sensorname as the sensor name.

3. In each sensor set sensorname = <sensor name>

 

make sense?

 

Cheers,

Jeff

 
 
New Post 11/5/2007 5:06 PM
  paulr
21 posts
9th Level Poster


Re: Sensor name - same policy 
I thought so...but no, not now that I'm trying it.

I tried creating a variable but I can't get it to set to say $HOSTNAME from the OS.

I can't hard code it because then both sensors still receive the same name.

Am I on the right track? If I could set the snort.conf to use the $HOSTNAME from the OS that would be fine.....but setting a variable to $HOSTNAME in the conf doesn't appear to work. --maybe there is some little trick I'm needing to let it know it's an 'external' variable I'm trying to call?


Thanks.
 
New Post 11/6/2007 12:41 AM
  paulr
21 posts
9th Level Poster


Re: Sensor name - same policy 
Okay...maybe I'm on to something.

If it's the Variables tab in the per-sensor configuration that passes the variable down I think I've got it figured out...

AND MySQL will be happier. :-)
 
New Post 11/6/2007 2:28 AM
  Jeff Dell
233 posts
www.activeworx.com
1st Level Poster


Re: Sensor name - same policy 
Exactly, the sensor variable overwrites any variable that existing in the policy. So if you have a variable set in the policy it will appear in the dropdown within the sensor variables for you to change.

Cheers,
Jeff
 
 Page 1 of 1
Previous Previous
 
Next Next
  Forum  IDS Policy Mana...  IDS Policy Mana...  Sensor name - same policy
 
 
Copyright 2000-2007 by Activeworx, Inc.
All trademarks and copyrights on this page are owned by their respective owners.