RE: ISS and Snort logs

[Luke Leboeuf <luke () arcsight com>]

Probably not, seeing as the event collector would not have any key for the
snort sensor. However, if you could figure out some way to normalize snorts
events to ISS database schema, create a DB user for the snort sensor to have
write access to the SQL DB, and figure out a way for the sensor to make ODBC
calls to the ISSED database to insert events, I guess, in theory, it could
be possible. If you get it to work let everyone know. There are other
applications that you can use to bring your snort logs and your ISS
siteprotector logs into one usable, database and correlation engine (like
the free Acid). They usually cost a pretty penny. Good luck!

Luke LeBoeuf
ArcSight, Inc.
(c) 571.331.5142
(e) luke () arcsight com
http://www.arcsight.com



-----Original Message-----
From: Scott M. Algatt [mailto:salgatt () turtleshell net] 
Sent: Tuesday, April 08, 2003 10:26 AM
To: focus-ids () securityfocus com
Subject: ISS and Snort logs

I am trying to see if there is a way to have ISS's SiteProtector receive
Snort logs realtime?


Regards,

Scott M. Algatt

Behold the turtle. He makes progress only when he sticks his neck out.


-----------------------------------------------------------
ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter 
Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71

-----------------------------------------------------------
ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter 
Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71