Table of Contents
Advertisement
Firewall menu options
Advanced Intrusion Detection and Prevention
Logging to an analysis server (Snort IDS only)
Typically, Snort in IDS mode is configured to log intrusion attempts to a remote database server, which in
turn runs an analysis console. An analysis console, such as BASE (Basic Analysis and Security Engine), is an
application purpose-built for analyzing this log output. See
information about analysis server tools.
From the Firewall menu, click Intrusion Detection > Snort tab. The Snort Configuration page
1
appears. Scroll to the bottom of the page to the log results area
Figure 206 Log IDS to MySQL DB
[Optional] To log to a MySQL database, select the Log results to database checkbox. If the checkbox
2
is cleared, results are output to the system log.
The device currently supports only the MySQL Database Type.
3
Enter the table name of the remote database in the Database Name field.
4
Enter the IP address or resolvable host name of the analysis server in the Hostname field.
5
Enter the database port of the analysis server in the Database port field. For MySQL type databases,
6
this is typically 3306.
[Optional] To prepend an arbitrary string to the log output, enter the string in the Sensor Name field.
7
This may be useful if you have deployed more than one intrusion detection system and need to
differentiate analysis between them.
Enter the user name and password required for authentication to the remote database in the User name
8
and Password fields. Repeat the password in the Confirm Password field.
Click Submit.
9
Setting up the analysis server for Snort IDS
Specific open source tools are required to be installed on the analysis server for a straightforward
evaluation. The analysis server is typically a Pentium 4-level system running Linux (such as Red Hat and
Debian) with sufficient memory and disk capacity to run a database and Web server with at least one
ethernet port. With these tools installed, Web pages can be created that display, analyze, and graph data
stored in the MySQL database from the UTM Firewall appliance running Advanced Intrusion Detection. They
should be installed in the following order:
204
McAfee UTM Firewall 4.0.4 Administration Guide
Setting up the analysis server for Snort IDS
(Figure
206).
for
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
