Snort mailing list archives
process models for handling events
From: Wynn Fenwick <wfenwick () FHLSim com>
Date: Tue, 05 Feb 2002 19:39:22 -0500
Hi Folks, I'd like to solicit some opinions on the analysis of process models around snort and multiple databases. Currently my client uses an incoming database which the sensors log to and the events are processed as they come in. There are many false positives, but we chose not to PASS them because in aggregate they could indicate an incident. For example observation of policy violations which are random events are not incidents, but if we observe them happening over time on a regular basis, the pattern is established and it becomes an incident. We use a single archive database to keep all of these events for this reason. However, when we want to generate monthly or weekly metrics to keep the PHB's sure that the system is worth the funding, we have a problem. ACID doesn't allow us to create reports "except the following signatures" or at least I can't figure out how to besides with NOT'ed TCP/IP/ICMP/ content filters. I don't want a third database if I can help it because its SOOOOooo slow to move events to a third "incidents-only" database. Lastly, I'd like to be able to "cache" or bookmark certain queries for reports that we commonly run on a weekly or monthly basis (hell, even daily if it comes cheap). Does anyone else do anything like this? I'd like to know before I go about trying my hand at PHP and SQL - there's lots of good source to start from thanks to Roman's excellent work. W _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- process models for handling events Wynn Fenwick (Feb 05)