Snort mailing list archives
Re: Snort-users digest, Vol 1 #3813 - 6 msgs
From: "Arif OZGUR" <arif () islem com>
Date: Thu, 11 Dec 2003 09:37:06 +0200
----- Original Message ----- From: <snort-users-request () lists sourceforge net> To: <snort-users () lists sourceforge net> Sent: Thursday, December 11, 2003 6:05 AM Subject: Snort-users digest, Vol 1 #3813 - 6 msgs
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Snort, Mysql purging (Jack Snedecor) 2. Database output (Erwin Van de Velde) 3. Visual Basic excel graph (Mario Guerendo) 4. Re: Snort, Mysql purging (Josh Berry) 5. Re: Snort, Mysql purging (Frank Knobbe) 6. src/snortman.tex (Ted Rolle) --__--__-- Message: 1 From: Jack Snedecor <jsnedecor () geninfo com> To: snort-users () lists sourceforge net Date: Wed, 10 Dec 2003 18:11:18 -0500 Subject: [Snort-users] Snort, Mysql purging New user.... I have installed snort, mysql and acid per the published instructions. Works great. I am by no means an expert at any of these though. What I have not found is a method to purge the database on a regular schedule. I had a minor welchia virus this week that drove the database size way up. Now acid is taking mins. to build pages. Can someone point me in the right direction? Jack Snedecor GiS VP, Network Operations Group -----Original Message----- From: Sp0oKeR Labs [mailto:spooker () spooker com br] Sent: Wednesday, December 10, 2003 6:47 PM To: Grammer, Christopher S; snort-users () lists sourceforge net Subject: Re: [Snort-users] Remote NIDS At your snort.conf, in all sensors use: output database: log, mysql, user=user_snort password=pass_snort dbname=db_snort host=ip_server_mysql_acid You can create the snort database with create_mysql at contrib/ directory
.
Best Regards, Sp0oKeR ----- Original Message ----- From: Grammer, <mailto:christopher.grammer () eds com> Christopher S To: snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> Sent: Wednesday, December 10, 2003 7:03 PM Subject: [Snort-users] Remote NIDS I am looking for a method to have remote NIDS log alerts to a central SNORT/Acid box running MySQL and Redhat 9.0. Anyone have a link for docs on this or recommendations? Chris --__--__-- Message: 2 From: Erwin Van de Velde <erwin.vandevelde () ua ac be> To: snort-users () lists sourceforge net Date: Thu, 11 Dec 2003 00:14:37 +0100 Subject: [Snort-users] Database output Hi, I'm using a postgresql database to store the output of my snort sensors,
but
what happens if the database is temporarily unavailable (for instance, connecting fails due to a heavy load on network / database)? Does snort
keep
the queries for sending when database connectivity is restored? Or are
these
queries dropped? In my opinion, storing these queries temporarily is the safest solution,
as we
must certainly log data when a severe attack on our network takes place... And then chances are bigger that we can't connect to the database immediately. And does snort open a database connection for every query it sends? Or is there some sort of persistent connection (for example one that times out after 1 minute of inactivity, closing the connection then)... I'd like to use SSL connections to the database, using stunnel, but
opening a
connection for every query would have severe consequences for network and server. Thanks in advance, Erwin Van de Velde Student of Antwerp University Belgium --__--__-- Message: 3 From: "Mario Guerendo" <m.guerendo () comcast net> To: <snort-users () lists sourceforge net> Date: Wed, 10 Dec 2003 18:31:16 -0500 Subject: [Snort-users] Visual Basic excel graph This is a multi-part message in MIME format. ------=_NextPart_000_001E_01C3BF4B.CCA4A320 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hello everyone, I have a little project, I am trying to have a script/program that would data on attacks, Denial of Service attacks to be precise. I would like to dump the data in an excel spreadsheet and create pie chart /bar graph. Anyone wiling to help? I am willing to pay a few bucks for this. Thx for the help. ------=_NextPart_000_001E_01C3BF4B.CCA4A320 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered)"> <style> <!-- /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline;} span.EmailStyle17 {font-family:Arial; color:windowtext;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.Section1 {page:Section1;} --> </style> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Hello everyone,</span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'> </span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>I have a little project, I am trying to have a script/program that would data on attacks, Denial of Service attacks to = be precise. I would like to dump the data in an excel spreadsheet and = create pie chart /bar graph. Anyone wiling to help? I am willing to pay = a few bucks for this.</span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'> </span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Thx for the help.</span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'> </span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'> </span></font></p> </div> </body> </html> ------=_NextPart_000_001E_01C3BF4B.CCA4A320-- --__--__-- Message: 4 Date: Wed, 10 Dec 2003 17:36:39 -0600 (CST) Subject: Re: [Snort-users] Snort, Mysql purging From: "Josh Berry" <josh.berry () netschematics com> To: "Jack Snedecor" <jsnedecor () geninfo com> Cc: snort-users () lists sourceforge net I HIGHLY suggest NOT deleting the information. I suggest having a secondary archive db that you move stuff like Welchia too when you think you don't need it anymore. That way you can keep the data and free up resources on your primary DB. Then if you really need to delete the data you can on the archive. Acid provides a drop-down bar to allow you to delete any query you run but if you really want to purge the DB then use a truncate table [table_name] command in MySQL.New user.... I have installed snort, mysql and acid per the published instructions. Works great. I am by no means an expert at any of these though. What I have not found is a method to purge the database on a regular schedule. I had a minor welchia virus this week that drove the database size way
up.
Now acid is taking mins. to build pages. Can someone point me in the right direction? Jack Snedecor GiS VP, Network Operations Group -----Original Message----- From: Sp0oKeR Labs [mailto:spooker () spooker com br] Sent: Wednesday, December 10, 2003 6:47 PM To: Grammer, Christopher S; snort-users () lists sourceforge net Subject: Re: [Snort-users] Remote NIDS At your snort.conf, in all sensors use: output database: log, mysql, user=user_snort password=pass_snort dbname=db_snort host=ip_server_mysql_acid You can create the snort database with create_mysql at contrib/
directory
. Best Regards, Sp0oKeR ----- Original Message ----- From: Grammer, <mailto:christopher.grammer () eds com> Christopher S To: snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> Sent: Wednesday, December 10, 2003 7:03 PM Subject: [Snort-users] Remote NIDS I am looking for a method to have remote NIDS log alerts to a central SNORT/Acid box running MySQL and Redhat 9.0. Anyone have a link for docs on this or recommendations? Chris ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for
IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys
admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-usersThanks, Josh Berry, CTO LinkNet-Solutions 469-831-8543 josh.berry () linknet-solutions com --__--__-- Message: 5 Subject: Re: [Snort-users] Snort, Mysql purging From: Frank Knobbe <frank () knobbe us> To: snort-users () lists sourceforge net Cc: Jack Snedecor <jsnedecor () geninfo com>, Josh Berry
<josh.berry () netschematics com>
Date: Wed, 10 Dec 2003 17:56:46 -0600 --=-USkW5a2E2A0LE8fQKEnH Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Wed, 2003-12-10 at 17:36, Josh Berry wrote:I HIGHLY suggest NOT deleting the information. I suggest having a secondary archive db that you move stuff like Welchia too when you think you don't need it anymore.=20I guess that all depends on your or your company's policy. You can dump certain data. I routinely dump the contents of the DATA table for certain signatures after a period of time. I don't see a reason to keep the same exact content for, say, the SQL-Slammer in the DB. Other content (IPHDR and friends) is archived. But certain ballast is dumped. You need to consider the usefulness of the data. Will you ever go back to data from IPHDR for an event that occurred a year ago? Perhaps this thread can evolve into a DB/data retention policy thread. To yell categorically "yes" or "no' is wrong. The correct answer is "depends" :) Cheers, Frank --=-USkW5a2E2A0LE8fQKEnH Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQA/17K9po+MRgtrF98RAntEAKDiUMtIhr7y5KU2NbuCU2Y1no/KvgCeKSwG 6jqbxVkgRIBXTJ5YhlorjCE= =Oh/X -----END PGP SIGNATURE----- --=-USkW5a2E2A0LE8fQKEnH-- --__--__-- Message: 6 Date: Wed, 10 Dec 2003 21:16:53 -0600 (CST) From: Ted Rolle <ted () php net> To: snort-users () lists sourceforge net Subject: [Snort-users] src/snortman.tex Where is src/snortman.tex? It's mentioned in the Snort docs, but I've not found it. Even after a Google search. Also is there an HTML version of the docs with hyperlinking? Thanks --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users digest, Vol 1 #3813 - 6 msgs Arif OZGUR (Dec 10)