Snort mailing list archives
RE: snort output
From: "Slighter, Tim" <tslighter () itc nrcs usda gov>
Date: Tue, 5 Aug 2003 09:34:51 -0600
Tried to send an email with the following question... I have the OpenSSL configured and working from the consolidated sguil system. I can acess it fine from this system via OpenSSL. I was previously using the sguild -u -c options and was accessing the sguil system from a windows client running ActiveState TCL. Now I wish to implement OpenSSL and specify this in the sguil.conf file on the windows client. What needs to be done here to get this to work? I tried to associate the sguil.tk file with TLS but this did not work. I also attempted to register the package with the provided DLL but this did not work either. Any ideas? figured that this should go in the snort mailing list so that the info would be available and useful to the public -----Original Message----- From: Bamm Visscher [mailto:bamm () satx rr com] Sent: Tuesday, August 05, 2003 9:18 AM To: snort-users () lists sourceforge net Cc: tslighter () itc nrcs usda gov Subject: Re: [Snort-users] snort output I _think_ you can enable multiple output plugins in barnyard, but I have never tried. That would be the best solution. I don't see why ACID couldn't be converted to use the sguildb schema, if one decided they wanted to tackle that (huge) job. BTW, xscriptd (the sguil component responsible for generating 'transcripts' using tcpflow) doesn't read unified files, but the binary logs created by log_packets.sh (which is just a shell script for staring snort in packet logger mode). When designing sguil, I tried coming up w/a good way for only having to run one snort proc on the sensor, but ran into problems with the way unified out is designed. I wish we could use unified alert for BY/sguil and -b (binary) for logging packets, but unified alert doesn't contain packet info. The other option would be to run one instance of snort logging all packets (log ip any any -> any any;) and alerts to unified out. Then having barnyard read the spool file and write to sguildb and pcap. That's a lot of reading/writing and wasted IO in my opinion, although I am far from an expert on how to efficiently use resources on a sensor. Chris will probably come back and tell me what an idiot I am and that running multiple snort procs is wasting more important resources than spooling unified to pcap. Bammkkkk On Tue, Aug 05, 2003 at 08:13:41AM -0600, Slighter, Tim wrote:
i can understand what you are saying and what i am attempting to
accomplish
will most likely push the system beyond the limit. but the goal is to
drop
all alerts into the MySQL database, retrievable by ACID and at the same
time
have a unified converted to binary for tcpflow and barnyard. have been using sguil and i suppose that the php scripts could be reconfigured in
ACID
to extract the sguildb data instead.
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: snort output, (continued)
- Re: snort output Matt Kettler (Jul 23)
- snort output Slighter, Tim (Aug 05)
- Re: snort output Bamm Visscher (Aug 05)
- Re: snort output Erek Adams (Aug 05)
- RE: snort output Slighter, Tim (Aug 05)
- Re: snort output Bamm Visscher (Aug 05)
- RE: snort output Slighter, Tim (Aug 05)
- RE: snort output Erek Adams (Aug 05)
- RE: snort output Schmehl, Paul L (Aug 05)
- RE: snort output Erek Adams (Aug 05)
- RE: snort output Slighter, Tim (Aug 05)