Snort mailing list archives
Re: Snort auotmatic email alert
From: "Adam Ely" <adam () 780inc com>
Date: Thu, 12 Aug 2004 10:13:15 -0500 (CDT)
Sorry I missed this thread until this morning.
Yes. MySQL/ACID does not scale. (sure, it"s kinda neat if you want to browse around in a limited data set, but MySQL limitations keep you from having real historical datasets. You"ll go to pcap files eventually.)
Snortnotify was written to serve those who use mysql logging. It does not require nor use ACID in anyway. Products can be written to take advantage of MySQL logging that are not web based. I personally us mysql logging to correlate events and data mine and it works rather well for me. Snortnotify was also released to show a frame work that can be used if you decide to store data in MySQL in another manner, say process the logs off of the disk and store them in a more centralized scalable manner.
And mining through the snortdb schema inside MySQL for event text in order to send email alerts is kinda like bringing a hatchet to an ice cream social.
As far as mining through the snortdb schema I like you analogy but really the work is done for you, thats why we write software.
instead of digging around in a browser all day trying to figure out which false alarm you"re looking at this time..
I have very few false positives that I do not want to see, meaning I log and watch alot of legitimate traffic but unexpected false positives are very low. Another topic all together but I see alot of people complain about false positives and then have very poor configs. Thanks for the recommendation Patrick and feedback Erik. Adam -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Aug 06, 2004 at 07:50:23PM -0500, Harper, Patrick wrote:
Don"t those all use syslog?
Yes. MySQL/ACID does not scale. (sure, it"s kinda neat if you want to browse around in a limited data set, but MySQL limitations keep you from having real historical datasets. You"ll go to pcap files eventually.) And mining through the snortdb schema inside MySQL for event text in order to send email alerts is kinda like bringing a hatchet to an ice cream social. Besides, if you use SEC to do this, you can spend all your time writing state engine rules so that you can use the state engine to do work for you, instead of digging around in a browser all day trying to figure out which false alarm you"re looking at this time.. But if you like that sort of thing, don"t let me stop you. - -- Erik Fichtner Principal Engineer, Information Security, ServerVault Corp. 703-652-5900 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQFBFCyDQ7EzrewLMS0RAmnBAKDDhTMH0WJ4gQMyHhTE8Qpk+CASmgCeINUf tNltxLiabAVy6yTW1lfadsM= =1xsT -----END PGP SIGNATURE----- ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort auotmatic email alert Adam Ely (Aug 12)