Snort mailing list archives
RE: Can you simply merge separate Snort SQL databases?
From: "David E. Wach" <david () ignw com>
Date: Wed, 1 May 2002 09:20:15 -0700
One problem you'll have is that Snort dynamically adds entries into several tables as it sees events (reference, reference_system, sig_class, sig_reference, and signature). If you pull data into a central database you're events will reference bogus data. What I ended up doing is pre-filling the central database with all possible signatures ahead of time, then adding those records to all remote databases. Also note that you'll have to do this anytime you update your Snort rules. It's all pretty simple, I can send on scripts if anybody is interested. -david -- =============================================== David E. Wach Senior Managed Security Architect david () ignw com InfoGroup Northwest 541.485.0957 x168 =============================================== -----Original Message----- From: Jason Haar [mailto:Jason.Haar () trimble co nz] Sent: Tuesday, April 30, 2002 9:41 PM To: Snort List (E-mail) Subject: [Snort-users] Can you simply merge separate Snort SQL databases? Says it all. For performance/availability reasons we want our Snort IDSes to be independantly installed within our world-wide network, however as the overseer I'd like to merge all that data back into one spot to do "global reports" once per month. The sensor table from each DB will obviously clash, but if I remap those, would there be any other conflicts? [better get a bigger box...] -- Cheers Jason Haar Information Security Manager Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417
Current thread:
- Can you simply merge separate Snort SQL databases? Jason Haar (Apr 30)
- <Possible follow-ups>
- RE: Can you simply merge separate Snort SQL databases? David E. Wach (May 01)
- Re: Can you simply merge separate Snort SQL databases? Jason Haar (May 01)
- RE: Can you simply merge separate Snort SQL databases? David E. Wach (May 02)