Snort mailing list archives
Re: Data Collection Help (fwd)
From: Andrea Barisani <lcars () infis univ trieste it>
Date: Wed, 21 Nov 2001 22:20:05 +0100 (CET)
---------- Forwarded message ---------- Date: Wed, 21 Nov 2001 17:18:40 +0100 (CET) From: Andrea Barisani <lcars () infis univ trieste it> To: Lance Spitzner <lance () honeynet org> Subject: Re: [Snort-users] Data Collection Help On Wed, 21 Nov 2001, Lance Spitzner wrote:
The Honeynet Project is beginning to collect data from various distributed Honeynets. One of our primary weapons for data capture is Snort. Question, what are some of the best practices for data collection for distributed Snort sensors? We are currently doing the following, any additional ideas GREATLY appreciated. - MySQL backend for Snort alerts, ACID interface - Daily copy of Snort binary log files If you have any more recommendations on what Snort data should be collected, in what format, or how it can be organized, that would be greatly appreciated. For example, are there any options besides ACID?
Hi Lance! My experience is that the best way for logging snort sensors data is the following: On the sensor 1) standard snort process with full alert logging and tcpdump style binary logging of traffic. 2) every n (usually 12) hours a snort process parse the binary file (wich contains all the packets that have triggered an alert with the ruleset specified for 1) ) and log the alerts with the previous ruleset or, reccomended, a more restrictive one in a central MySQL db accessible with ACID. The advantages are: 1) the sensor is not always logging to a database in order to increase overall speed. 2) we can define a more restrictive ruleset for the db logging, so we can avoid db flooding with false alarm by checking first sensor alert logs. We can also have different rulesets in order to put the collected data in different logical databases. 3) we can rebuild the database every time we want if we archive the binary log files. 4) an eventual ssl-encapsulation of MySQL traffic between the sensor and the central database is possible and it is not so exhausting. What do you think? Hope that helps. Bye ------------------------------------------------------------ INFIS Network Administrator & Security Officer Department of Physics - University of Trieste lcars () infis univ trieste it - PGP Key 0x8E21FE82 ------------------------------------------------------------ "How would you know I'm mad?" said Alice. "You must be,'said the Cat,'or you wouldn't have come here." ------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Data Collection Help (fwd) Andrea Barisani (Nov 21)
- Re: Data Collection Help (fwd) james (Nov 21)
- Re: Data Collection Help (fwd) Guillaume (Nov 23)
- <Possible follow-ups>
- Re: Data Collection Help (fwd) james (Nov 21)