Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: view alerts in base

From: Dominique Karg <dk () ossim net>
Date: Wed, 22 Apr 2009 09:44:00 +0200

Hello,

I'd like to throw another alternative and some comments into this  
thread.

Am 22.04.2009 um 04:38 schrieb Paul Schmehl:


--On April 21, 2009 8:45:01 PM -0500 David Kingsly
<davidkingsly () verizon net> wrote:

The name acid is a legacy from the software that BASE is derived from.

Here's my operational system:

mysql> select count(*) from event;
+----------+
| count(*) |
+----------+
|     6881 |
+----------+
1 row in set (0.00 sec)

mysql> select count(*) from acid_event;
+----------+
| count(*) |
+----------+
|     6880 |
+----------+
1 row in set (0.00 sec)

As you can see the number of alerts is different.  Whether snort feeds
mysql directly *or* barnyard parses the unified format and feeds  
mysql,
the result is the same - events are entered into the *snort* database.
The BASE install adds the four acid_* tables.  Those tables are fed by
base, not by snort or barnyard.  So, if the snort db event table has
entries but the acid_event table does not, the problem is BASE not  
snort,
mysql or barnyard.


Both direct Snort DB insertion as well as Barnyard require the BASE  
caching process (which basically aggregates data from 'tcphdr, udphdr,  
icmphdr, event, sensor and signature' into 'acid_event') in order to  
consolidate the data inserted by (possibly) multiple Snort or Barnyard  
deployments.

At OSSIM we changed this behaviour and aggregate events at correlation  
engine level, receiving data from multiple agents (which in turn parse  
multiple snorts logging using unified format), aggregating it and  
filling in all the tables from a central point, removing the caching  
process and thus enabling realtime visualization of that data. Our  
requirements, both in terms of performance and data visualization made  
us maintain a patch against BASE for many years, but we recently  
decided to fork it into our codebase since it would be easier to  
maintain.

You're more than welcome to give it a shot.

Greetings,

Dominique


------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: