RE: snort output

["Slighter, Tim" <tslighter () itc nrcs usda gov>]

Tried to send an email with the following question...

I have the OpenSSL configured and working from the consolidated sguil
system.  I can acess it fine from this system via OpenSSL.  I was previously
using the sguild -u -c options and was accessing the sguil system from a
windows client running ActiveState TCL.  Now I wish to implement OpenSSL and
specify this in the sguil.conf file on the windows client.  What needs to be
done here to get this to work?  I tried to associate the sguil.tk file with
TLS but this did not work.  I also attempted to register the package with
the provided DLL but this did not work either.  Any ideas?

figured that this should go in the snort mailing list so that the info would
be available and useful to the public

-----Original Message-----
From: Bamm Visscher [mailto:bamm () satx rr com]
Sent: Tuesday, August 05, 2003 9:18 AM
To: snort-users () lists sourceforge net
Cc: tslighter () itc nrcs usda gov
Subject: Re: [Snort-users] snort output


I _think_ you can enable multiple output plugins in barnyard, but I have
never tried. That would be the best solution.  I don't see why ACID couldn't
be converted to use the sguildb schema, if one decided they wanted to tackle
that (huge) job.  BTW, xscriptd (the sguil component responsible for
generating 'transcripts' using tcpflow) doesn't read unified files, but the
binary logs created by log_packets.sh (which is just a shell script for
staring snort in packet logger mode).  When designing sguil, I tried coming
up w/a good way for only having to run one snort proc on the sensor, but ran
into problems with the way unified out is designed. I wish we could use
unified alert for BY/sguil and -b (binary) for logging packets, but unified
alert doesn't contain packet info. The other option would be to run one
instance of snort logging all packets (log ip any any -> any any;) and
alerts to unified out. Then having barnyard read the spool file and write to
sguildb and pcap.  That's a lot of reading/writing and wasted IO in my
opinion, although I am far from an expert on how to efficiently use
resources on a sensor. Chris will probably come back and tell me what an
idiot I am and that running multiple snort procs is wasting more important
resources than spooling unified to pcap.

Bammkkkk
 
On Tue, Aug 05, 2003 at 08:13:41AM -0600, Slighter, Tim wrote:
> i can understand what you are saying and what i am attempting to
accomplish
> will most likely push the system beyond the limit.  but the goal is to
drop
> all alerts into the MySQL database, retrievable by ACID and at the same
time
> have a unified converted to binary for tcpflow and barnyard.  have been
> using sguil and i suppose that the php scripts could be reconfigured in
ACID
> to extract the sguildb data instead.  


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users