Security Basics mailing list archives
Re: network audit
From: Bear Giles <bgiles () coyotesong com>
Date: Wed, 26 Mar 2003 13:50:34 -0700
Eckhardt, Rodolpho H. O. wrote:
I would say Snort <www.snort.org> is a good choice! Although it is not a traffic analyser, you can use it to log traffic (with/out data). You can record it into MySQL.
It can also log into PostgreSQL and other databases.I mention this since MySQL is rather weak on the advanced database features. You can probably define the joins yourself in your scripts (although some of mine do include some subselect clauses), but that's error prone and hard to maintain. With PostgreSQL and others, you can set up some views and have
PostgreSQL supports triggers, views, insertion rules, subselects, etc.. This makes the database much easier to work with since my views fold in the human-readable content, or compute some useful item.
Below are several sample views... I wish I had documented better what they're supposed to do. :-) I'm pretty sure 'snort1' creates a view that provides the event signature and frequency count. Snort2 is a view that can best be described as "ipevents," and snort3 is folds in a description of that event.
Bear create view snort1 as select * from (select sig_id,count(*) from event join signature on event.signature=signature.sig_id group by sig_id) as f natural join signature -- adds rest of data natural join sig_class -- adds sig_class_name ; create view snort1b as select * from sig_reference natural join reference natural join reference_system ; create view snort2 as select * from event natural join iphdr; create view snort3 as select * from event join signature on event.signature=signature.sig_id natural join sig_class -- adds sig_class_name natural join snort2 ; ------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.surfcontrol.com/go/zsfsbl1
Current thread:
- network audit avi koren (Mar 10)
- Re: network audit Eckhardt, Rodolpho H. O. (Mar 11)
- Re: network audit Bear Giles (Mar 27)
- RE: network audit Burton M. Strauss III (Mar 11)
- Re: network audit Talisker (Mar 11)
- <Possible follow-ups>
- RE: network audit Marendra Nutriaji (Mar 11)
- RE: network audit Trevor Cushen (Mar 11)
- RE: network audit YashPal Singh (Mar 12)
- Re: network audit Eckhardt, Rodolpho H. O. (Mar 11)