Snort mailing list archives
Re: adding other alert types to the ACID db
From: roman () danyliw com
Date: Thu, 23 Aug 2001 15:26:31 US/Eastern
Bret, It all depends on what you mean by host IDS output. If you mean firewall logs which are in syslog, then I'm sure you could massage this into the current schema (take a look at logsnorter). However, if you really want to store "host" events (e.g. failed logins), I would approach it as follows: - Create a new sensor entry (sid) in the sensor table for the host-based sensor - Augment the sensor table with a new column indicating the type of sensor it is (host-based type #1, network based, etc.) - Create a new signature entry (sig_id) in the signature table - Create an entry in the event table - Consider what is the host-based data I am trying to store. Can I use existing tables or do I need new ones? Make whatever changes are necessary to the schema. By maintaining the sensor<->event<->signature relationship most queries will continue to work (e.g. unique alerts), but others might not make sense (e.g. ports). Additional logic needs to be instrumented in ACID so that it "knows" how to process the data from a particular sensor. If I had a better idea of what kind of data you were thinking of, perhaps I could be clearer. This kind of change is definitely in line with some of the longer term goals of the schema, ACID, etc. If you want to chat about nuts-and-bolts implementation/architecture, feel free to send me some specifics (off-list is fine too). Roman On Thu, 23 Aug 2001 bretwatson () charteredsemi com wrote:
I'm looking at adding other alert types of the ACID DB - especially host IDS output... However it seems hard to find somewhere to show detail of the event... any hints as to what specifically I should do so that detail shows up under the "detail" area on the ACID report? Bret
--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- adding other alert types to the ACID db bretwatson (Aug 22)
- <Possible follow-ups>
- Re: adding other alert types to the ACID db roman (Aug 23)