Security Basics mailing list archives
Re: network audit
From: Bear Giles <bgiles () coyotesong com>
Date: Wed, 26 Mar 2003 13:50:34 -0700
Eckhardt, Rodolpho H. O. wrote:
I would say Snort <www.snort.org> is a good choice! Although it is not a traffic analyser, you can use it to log traffic (with/out data). You can record it into MySQL.
It can also log into PostgreSQL and other databases.I mention this since MySQL is rather weak on the advanced database features. You can probably define the joins yourself in your scripts (although some of mine do include some subselect clauses), but that's error prone and hard to maintain. With PostgreSQL and others, you can set up some views and have
PostgreSQL supports triggers, views, insertion rules, subselects, etc.. This makes the database much easier to work with since my views fold in the human-readable content, or compute some useful item.
Below are several sample views... I wish I had documented better what they're supposed to do. :-) I'm pretty sure 'snort1' creates a view that provides the event signature and frequency count. Snort2 is a view that can best be described as "ipevents," and snort3 is folds in a description of that event.
Bear
create view snort1 as
select * from
(select sig_id,count(*) from event join signature
on event.signature=signature.sig_id group by sig_id) as f
natural join signature -- adds rest of data
natural join sig_class -- adds sig_class_name
;
create view snort1b as
select * from sig_reference
natural join reference
natural join reference_system
;
create view snort2 as
select * from event natural join iphdr;
create view snort3 as
select * from
event join signature
on event.signature=signature.sig_id
natural join sig_class -- adds sig_class_name
natural join snort2
;
-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfsbl1
Current thread:
- network audit avi koren (Mar 10)
- Re: network audit Eckhardt, Rodolpho H. O. (Mar 11)
- Re: network audit Bear Giles (Mar 27)
- RE: network audit Burton M. Strauss III (Mar 11)
- Re: network audit Talisker (Mar 11)
- <Possible follow-ups>
- RE: network audit Marendra Nutriaji (Mar 11)
- RE: network audit Trevor Cushen (Mar 11)
- RE: network audit YashPal Singh (Mar 12)
- Re: network audit Eckhardt, Rodolpho H. O. (Mar 11)