snort, postgres, bridge

From: Louis Kowolowski (louisk_at_bend.com)
Date: 08/28/03

Next message: The Anarcat: "Re: snort, postgres, bridge"

Previous message: Devon H. O'Dell: "Re: new DoS technique (exploiting TCP retransmission timeouts)"
Next in thread: The Anarcat: "Re: snort, postgres, bridge"
Reply: The Anarcat: "Re: snort, postgres, bridge"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 28 Aug 2003 11:37:42 -0700
To: freebsd-security@freebsd.org

I've been prowling through the FreeBSD and Snort list archives in
search of information on setting up snort on a FreeBSD bridge(4)
that logs to a remote postgres box via a third interface (hme0)
Snort is being started with the following command:

/usr/local/bin/snort -A full -D -e -d -s -i fxp0 -c /usr
/local/etc/snort.conf

Where fxp0 and fxp1 are in the bridge
output from sysctl:

net.link.ether.bridge_cfg: fxp0:0,fxp1:0
net.link.ether.bridge: 1
net.link.ether.bridge_ipfw: 0
net.link.ether.bridge_ipf: 1
net.link.ether.bridge_ipfw_drop: 0
net.link.ether.bridge_ipfw_collisions: 0

The snort.conf is attached. I've attempted to start with a pretty
generic config, just to ensure things work.

The problem appears to be that snort simply doesn't log to the remote
postgres box (yes, there are host entries in pg_hba.conf, and other
databases are accessible remotely, so I believe that is not the issue).
I've just been running trafshow to watch connections.

Any hints/pointers/solutions welcome.

Thanks

-- 
Louis Kowolowski                                louisk@cryptomonkeys.org
Crypto Monkeys:                     http://www.cryptomonkeys.org/~louisk
IRC:                                    outcast-consultants.biz#outcasts
gpg info:		 			 http://www.cryptomonkeys.org/~louisk/gurgi.html
gpg print:            F04B 9A37 822A 4CE1 95CE  4D28 1AFF CCB7 DE4B A841
Everyone is a genius.  It's just that
some people are too stupid to realize it.

application/pgp-signature attachment: stored

Next message: The Anarcat: "Re: snort, postgres, bridge"

Previous message: Devon H. O'Dell: "Re: new DoS technique (exploiting TCP retransmission timeouts)"
Next in thread: The Anarcat: "Re: snort, postgres, bridge"
Reply: The Anarcat: "Re: snort, postgres, bridge"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Sending syslog messages to a remote syslog server
... >> I have successfully setup a centralized syslog server on Linux ... >> accepting logs from remote clients. ... >> I have remote Linux, Windows, Snort, HP JetDirects, and Cisco devices ... I have not been able to get Solaris to send logs ...
(comp.unix.solaris)
Re: snort and port 53 <-> 53 false positives
... Chris ... >> Snort is configed to show requests with external source 53 to inbound ... >> your local did a lookup to a remote the remote will reply from src 53 to ...
(comp.security.firewalls)
Re: Audit Account Logon Events, Client IP address incorrect?
... Find Account Logon or Logon events in event log ... Find messages of the relevant types in Snort log ... Herb Martin> ... Now I at least have an explanation for the "powers that be">> when they look at the logs. ...
(microsoft.public.win2000.active_directory)
Re: Unicode Attack
... Your Snort logs will include everything "odd" (as defined by the ... > web server); however, I cannot rule out the possibility of the host ... That server should not be vulnerable to the Unicode URL encoding ...
(Incidents)
Re: [fw-wiz] PIX Logging Analysis
... I use ipaudit-web http://ipaudit.sourceforge.net/ipaudit-web/ ... Snort is good but you will get alot of false alarms that if given to ... your customer will cause panic. ... msyslog has worked really well to examine the logs through a php web ...
(Firewall-Wizards)