IDS mailing list archives
Re: ISS and Snort logs
From: Brian <bmc () snort org>
Date: Fri, 25 Apr 2003 09:19:49 -0400
On Fri, Apr 18, 2003 at 03:24:58PM -0400, Security Conscious wrote:
Another option would be to use Snorts SQL Server output module and sends alerts directly the ISS SQL Server. On the ISS SQL Server you would create another database (Snort DB) with the Snort schema. Snort would alert/log to the Snort DB. You could then create triggers to do a select from (Snort DB) insert into (ISS DB) for each event added to the Snort DB.
A cheaper/uglier option is to have snort log via syslog and use ISS's HIDS component and add signatures in the HIDS for each snort rule you enable. Since you wouldn't be mucking with the underpinnings of ISS's database, you will not get into support/licensing issues. You know the type: "Oh, you did what to the database? OK, first thing. Reinstall." You are running an IDS on NT, so you should be used to this already. ;P Anyway, using the syslog method would This would be easier to setup initially but would require more maintenance as when new rules are added to snort, you will need to add rules to your HIDS. But at least you won't have to pay your DBA more than you already do. That, or you could look at getting an ESM type product that actually handles all of this foo for you. There are dozens of products that attempt to accomplish your specific problem. -brian ------------------------------------------------------------------------------ INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids
Current thread:
- ISS and Snort logs Scott M. Algatt (Apr 11)
- <Possible follow-ups>
- RE: ISS and Snort logs Luke Leboeuf (Apr 11)
- RE: ISS and Snort logs Scott M. Algatt (Apr 14)
- RE: ISS and Snort logs Security Conscious (Apr 21)
- Re: ISS and Snort logs Brian (Apr 26)
- RE: ISS and Snort logs Chris Petersen (Apr 28)
- RE: ISS and Snort logs Scott M. Algatt (Apr 14)