Hey,

What we would like to do is have the IDS boot from cd and have snort log to an external firewire HDD.
The problem is that we would like to use MySql and ACID to view the activity, but we are not sure how to have MySql log the activity to the external HDD instead of RAM drive. We are not sure how to view the alerts from ACID, once we have them on the external HDD.


Thanks


csi

First off, Welcome to Screaming Electron csi!

Why not try a flash stick for ACID / MySQL entries, and boot off your own custom Freesbie (http://www.freesbie.org/) bootable CD.

Freesbie is a great idea for this. You can make it into anything and it would be easy to update and tweak it. I've used an external firewire drive on FreeBSD and it works great and is nice and fast. It probably would be a good place to store logs. USB flash would work but I'd be more concerned about wearing out the flash with the repeated writing.

I was actually developing a product similar to this a while back. There's real niche to fill here, as there aren't very many (if any) portable IDS boxes out there.

We were actually doing the following and it worke quite nicely:

Soekris 4801 with a compact flash (runs O.S.) and a 40 gig 2.5 inch hdd. Box is loaded with whatever O.S. you want. In my case OpenBSD w/snort, a mysql client, and a base set of CML utils.

Box logs raw data to two places, 2.5 inch hdd, and to a remote database server which houses an incident repository that could compare attacks.

I actually had this working a while back and it was quite nice. The best part was it could be used for active intrusion incident monitoring and analysis.

Best of Luck!

Hey,

Thanks for the suggestions about Freesbie, but we are makinng our own bootable CD.
The problem we are having is that we dont know how to make MySQL know where to put its database on the external HDD.

We are fairly new to MySQL and don't have much experience with it.
The idea is that you can deploy this IDS as fast as possible and in as few steps as possible, and it will not write to the internal drive of the host PC. Just pop the CD in, connect the firewire HDD and go. So to keep with this idea we want to have as little pre-preparation of the external FireWire HDD as possible, prefererably it will only have to be formatted.

It is my understanding that the database has to be configured before we burn our bootable CD, but in that case I do not understand how to make it reside on the external HDD.
(Maybe a preconfigured database can be copied to the drive after boot? Then MySQL and ACID will look here?)

This is for a school project, so unfortunatly we have some time constraints and cant switch to another Linux distro. We have already done a minimal install of Red Hat 9.

Any help would be GREATLY appreciated,
Thanks alot
csi

well there's a mysql.server script that's supplied with the program. Just edit the database location var. and you're good to go.

So i should change that variable to a mount point that the firewire drive will hotplug to (or i will have to manually mount it if i cant figure that out) and MySQL will write the database to the root directory on the empty drive?

And then i would tell ACID to look for the mysql database at that same mount point?

(PS. Is the variable for database location 'datadir' ?)

you got it

Thanks, you rock!!!:biggrin:

We will let you know how we make out!

csi

HI :icon_smil


We've been working on the IDS and it's coming along fairly nicely.
We've been recompiling our kernel to use devfs and creating a ram drive for var and tmp and wrestling with other issues since our root file system will be mounted read only. Now we've finally got around to testing the bit where mysql saves it's database to another location.

As a test for this we reset our databases so we have a nice empty template.
Then I mount a usb stick and changed the 'datadir' in the mysql start script to point to the location of the mounted usb. Now I 'cp -a' the mysql /var directory (containing our database directory and other files [because i dont know what the other files in that directory do, so i copied them over just to be safe) BUT when the files are copied over the permissions get changed.
I tried to chown the directory so that it is owned by mysql but I get "Operation not permitted"

The USB stick is formatted using Fat.

If i try to start mysql I dont get any errors, it just doesnt start.

Any help? please :confused:

Fat32 mounts take permissions of the mount point. Make sure the mount point is mounted as the user and with the perms you want before you mount it. Fat will limit how much you can do with permissions. Either leave it wide open or format it UFS.

Ok. Well my mount point is /mnt/database and i just tried
'chown mysql database' from the /mnt directory and it gives me the message
"chown: changing ownership of 'database': Operation not permitted"

I'm not really sure why it won't let me do this.

Is it already mounted? You can't change it unless you unmount it. You are doing this as root, right?

Yep I am root. Sorry, i didn't think to unmount it. Thanks.

Ok when i unmount the device the chown command ran without complaint and changed the owner and group of the database to mysql, but as soon as i mount the usb stick the owner and group changes back to root.

Also, when i ask mysql to log the database to another directory it automatically changes the permissions on that directory itself. I've tested logging to a folder other than the default, and also a regular (local) directory mounted to another local directory. So it seems the problem mysql is having has something to do with the USB stick maybe?
Any ideas?

Thanks

Does the memory stick have to be fat32? If you use a native filesystem on it then you should be able to chmod/chown it like any other local mount.

Hey,

We just got our extertnal HDD bay with firewire in. WooHoo. We are now having a problem mounting the external bay. We cant seem to get it to mount. We went to the Linux 1394 page and followed the instructions, but still cant seem to get it to wrk. Linux detects it.

Do we need a driver for it maybe? Any suggestions would help alot.


Thanks



CSI

Linux you say? :silly:

While this is a BSD-related site, I'll tell you what I can considering I haven't used firewire on Linux. I've played with firewire drives on FreeBSD 5.x and it's really easy to use. The support for firewire is in the generic kernel and it shows up as da0 ( or daX if you have other da devices) and works out of the box.

You are going to need the following modules modprobed or compiled in:
ieee1394
ohci1394
sbp2

It should show up as a SCSI drive at this point ( sda, sdb, etc.) You can then run a fdisk -l to see the partitions and use it like any other drive. I'm still going to recomend that you set it up as a native filesystem instead of fat32 to save yourself a lot of headaches. Should be fairly straightforward once you have the kernel modules loaded.