IDS mailing list archives
RE: ISS and Snort logs
From: "Security Conscious" <mail () security-conscious com>
Date: Fri, 18 Apr 2003 15:24:58 -0400
Another option would be to use Snorts SQL Server output module and sends alerts directly the ISS SQL Server. On the ISS SQL Server you would create another database (Snort DB) with the Snort schema. Snort would alert/log to the Snort DB. You could then create triggers to do a select from (Snort DB) insert into (ISS DB) for each event added to the Snort DB. The challenge you are going to have is mapping the Snort events into the ISS meta data (e.g., classification, priority, category, etc.) and not breaking their front-end in the process. I'd also look into the licensing agreement as it pertains to this sort of customization - it could impact your licensing/support agreement. Good luck, Chris Petersen Security Conscious, Inc. www.security-conscious.com the ISS schema
-----Original Message----- From: Scott M. Algatt [mailto:salgatt () turtleshell net] Sent: Friday, April 11, 2003 7:58 PM To: Luke Leboeuf Cc: focus-ids () securityfocus com Subject: RE: ISS and Snort logs I never thought of that. Thanks Luke! This gives me somewhere to go with it. I might be able to use a combination of Snort's unified output to be able to do this. If I can get the schema, which shouldn't be too hard. I should be able to send the unified data through a little PERL magic and ship it into SiteProtector. I am also looking at doing the same thing with our ACID console. We currently have ACID and it might help be a better scenario to go from the ACID console to the SiteProtector console rather than individual IDS's. Regards, Scott M. Algatt Behold the turtle. He makes progress only when he sticks his neck out. On Fri, 11 Apr 2003, Luke Leboeuf wrote:Probably not, seeing as the event collector would not haveany key forthe snort sensor. However, if you could figure out some way to normalize snorts events to ISS database schema, create a DBuser forthe snort sensor to have write access to the SQL DB, andfigure out away for the sensor to make ODBC calls to the ISSED databaseto insertevents, I guess, in theory, it could be possible. If you get it to work let everyone know. There are other applications thatyou can useto bring your snort logs and your ISS siteprotector logs into one usable, database and correlation engine (like the free Acid). They usually cost a pretty penny. Good luck! Luke LeBoeuf ArcSight, Inc. (c) 571.331.5142 (e) luke () arcsight com http://www.arcsight.com -----Original Message----- From: Scott M. Algatt [mailto:salgatt () turtleshell net] Sent: Tuesday, April 08, 2003 10:26 AM To: focus-ids () securityfocus com Subject: ISS and Snort logs I am trying to see if there is a way to have ISS's SiteProtector receive Snort logs realtime? Regards, Scott M. Algatt Behold the turtle. He makes progress only when he stickshis neck out.----------------------------------------------------------- ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS, Cookie Manipulationand ParameterManipulation. http://www.spidynamics.com/mktg/webappsecurity71-------------------------------------------------------------- ---------------- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-> ids
------------------------------------------------------------------------------ INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids
Current thread:
- ISS and Snort logs Scott M. Algatt (Apr 11)
- <Possible follow-ups>
- RE: ISS and Snort logs Luke Leboeuf (Apr 11)
- RE: ISS and Snort logs Scott M. Algatt (Apr 14)
- RE: ISS and Snort logs Security Conscious (Apr 21)
- Re: ISS and Snort logs Brian (Apr 26)
- RE: ISS and Snort logs Chris Petersen (Apr 28)
- RE: ISS and Snort logs Scott M. Algatt (Apr 14)