Snort mailing list archives
Re: ACID inputting from alerts?
From: "Scott A. McIntyre" <scott () xs4all nl>
Date: Wed, 9 May 2001 22:30:33 +0200
Scott, If you are logging to a database, the "full" alert functionality is enabled by default by the database plug-in. Look at the "detail" configuration parameter of the database plug-in documented in README.database.
Nope, not logging to a database directly -- sorry, I should have been more clear about this. I have loads of sensors that I aggregate alert from on a management station, which also performs rule management for the sensors. At the moment I am parsing transferred binary logs through a "database.conf" that reads the rules for the appropriate sensor and inputs the alerts into the database on the management station. This works fantastically but has the slight drawback of less than ideal parsing in a time-critical fashion. Since the only way I can think of to rotate a snort binary log is to kill the daemon (running snort in a daemon mode), which creates another file, unless I regularly do this it's tough to make sure that I only input each alert event once. With the text based alerts, which are also generated on the sensors, it's easier to use logrotate or newsyslog or whatever to make sure that the file is rotated on a regular basis, that it's not added to, and thus, easy to import into ACID for analysis. If snort could read the binary file back with a time search, it would probably help (as in, yyyy/mm/dd.hh:mm:ss-yyyy/mm/dd.hh:mm:ss would only match timestamped entires for that range); that may be in the works for 2.0, not sure. I'm very open to other ways of solving this; the fundamental architecture won't be changing (central mgt with remote sensors) though, and I have very tight rules as to how the data gets to the management station (so no logging to the mysql database from the sensors directly)... Thanks! Scott _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ACID inputting from alerts? Scott A. McIntyre (May 09)
- <Possible follow-ups>
- Re: ACID inputting from alerts? roman (May 09)
- Re: ACID inputting from alerts? Scott A. McIntyre (May 09)