Re: ISS and Snort logs

[Brian <bmc () snort org>]

On Fri, Apr 18, 2003 at 03:24:58PM -0400, Security Conscious wrote:
> Another option would be to use Snorts SQL Server output module and sends
> alerts directly the ISS SQL Server.  On the ISS SQL Server you would
> create another database (Snort DB) with the Snort schema.  Snort would
> alert/log to the Snort DB.  You could then create triggers to do a
> select from (Snort DB) insert into (ISS DB) for each event added to the
> Snort DB.

A cheaper/uglier option is to have snort log via syslog and use ISS's 
HIDS component and add signatures in the HIDS for each snort rule you
enable.  Since you wouldn't be mucking with the underpinnings of ISS's
database, you will not get into support/licensing issues.  You know the 
type:

   "Oh, you did what to the database?  OK, first thing.  Reinstall."

You are running an IDS on NT, so you should be used to this already. ;P

Anyway, using the syslog method would This would be easier to setup 
initially but would require more maintenance as when new rules are added to
snort, you will need to add rules to your HIDS.   But at least you
won't have to pay your DBA more than you already do.

That, or you could look at getting an ESM type product that actually 
handles all of this foo for you.  There are dozens of products that 
attempt to accomplish your specific problem.

-brian

------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?
 
IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - 
including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. 
 
Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids