[prelude-user] Connexion problem between Snort and prelude-manager
ScottO
skippylou at gmail.com
Wed Apr 23 16:15:06 CEST 2008
Hi Sylvain,
If you are in fact trying to connect to a remote Prelude Manager, then on
your Snort box you need to specify the right address. In the client.conf,
default location is: /usr/local/etc/prelude/default/client.conf, you would
set the server-addr to be the address of your remote manager.
Then restart Snort.
On Wed, Apr 23, 2008 at 10:01 AM, Sylvain Chillaud <
sylvain.chillaud at gmail.com> wrote:
> Hi all,
>
> we've encountered a problem when trying to make a snort sensor connect to
> a
> remote Prelude-manager.
> the error message we get is as follow (at the end of the initialization of
> Snort):
>
> Initializing Network Interface eth0
> Decoding Ethernet on interface eth0
> 23 Apr 15:02:42 (process:12702) INFO: Connecting to 127.0.0.1:4690 prelude
> Manager server.
> 23 Apr 15:02:42 (process:12702) WARNING: Failover enabled: connection
> error
> with 127.0.0.1:4690: Connection refused
>
>
> What we don't understand is the fact that the registration went well.
> The command we used to register is : *prelude-admin register snort
> "idmef:w
> admin:r" @prelude-manager --uid snort --gid snort*
> the prelude manager received the request, we entered the command :
> *prelude-admin
> registration-server prelude-manager --passwd=<password>* and then entered
> the password in snort, which said that he had registered well. (we also
> tried without the --passwd option to have a generated password, but the
> result remains the same)
>
> We've found a similar case with Ossec when looking into the prelude
> mailing
> list archive, (
> http://lists.prelude-ids.org/pipermail/prelude-user/2008-March/002367.html)
> where it was suggested to change the server-addr in the client.conf of
> prelude. However, this parameter was already configured with the server
> address, not 127.0.0.1.
>
> The problem seems to come from the computer hosting snort, but I don't
> know
> why it's doing this and where I can correct it.
>
> Has anyone met this kind of problem with snort and prelude ? Any idea from
> where it can come ?
>
> Thanks in advance,
>
> Sylvain
> _______________________________________________
> Prelude-user site list
> Prelude-user at prelude-ids.org
> http://lists.prelude-ids.org/mailman/listinfo/prelude-user
>
More information about the Prelude-user
mailing list