Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: adding other alert types to the ACID db

From: roman () danyliw com
Date: Thu, 23 Aug 2001 15:26:31 US/Eastern
Bret,

It all depends on what you mean by host IDS output.  If you mean firewall
logs which are in syslog, then I'm sure you could massage this into the   
current schema (take a look at logsnorter).  However, if you really want  
to store "host" events (e.g. failed logins), I would approach it as
follows:

- Create a new sensor entry (sid) in the sensor table for the host-based
sensor
- Augment the sensor table with a new column indicating the type of sensor
it is (host-based type #1, network based, etc.)
- Create a new signature entry (sig_id) in the signature table
- Create an entry in the event table
- Consider what is the host-based data I am trying to store.  Can I use
existing tables or do I need new ones?  Make whatever changes are necessary
to the schema.

By maintaining the sensor<->event<->signature relationship most queries
will continue to work (e.g. unique alerts), but others might not make  
sense (e.g. ports).  Additional logic needs to be instrumented in ACID so 
that it "knows" how to process the data from a particular sensor.

If I had a better idea of what kind of data you were thinking of, perhaps
I could be clearer.  This kind of change is definitely in line with some
of the longer term goals of the schema, ACID, etc.  If you want to chat 
about nuts-and-bolts implementation/architecture, feel free to send me
some specifics (off-list is fine too).

Roman

On Thu, 23 Aug 2001 bretwatson () charteredsemi com wrote:



I'm looking at adding other alert types of the ACID DB - especially host 
IDS output... However it seems hard to find somewhere to show detail of 
the event... any hints as to what specifically I should do so that detail 
shows up under the "detail" area on the ACID report?

Bret





---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: