Snort mailing list archives

RE: Any HOWTO for merging separate snort IDS's into central DB?

From: "Cloppert, Michael" <Michael.Cloppert () 53 com>
Date: Fri, 20 Dec 2002 16:10:27 -0500

Jason,

I'm also looking for something to do this.  I have a rough idea of what is
going to be involved, but I have not looked into doing it in any depth so
far.  What I'm thinking about doing is, given sensors X and Y reporting back
to database A: have a cronjob on {X,Y} that kicks off a script every n
minutes (or days, whatever).  The script will basically export all event and
related data to A except the sensor ID.  The sensor ID (sid) for each event
would be manufactured at the time of export to match whatever is in the
"sensor" table on the central database corresponding to the sensor exporting
the data.  For example, if doing a SQL query of "select sid,hostname from
sensor" on A gives me:

+-----+---------------------------------------+
| sid | hostname                              |
+-----+---------------------------------------+
|   1 | localhost                             |
|   2 | X                                     |
|   3 | Y                                     |
+-----+---------------------------------------+

then when I export from X, I will need to change all the sid's in my events
to "2", and "3" from server Y.  This neglects other fields in the "sensor"
table that are necessary for normal snort operation, such as the "last_cid"
field.  This would be a massive problem, IF you had a snort sensor running
on A that tried to add events with a sid of 2 or 3.  Since we're just
talking about looking at the data, and are adding the data ourselves, we
should be able to get away with this.

I don't know if this is a load of cock and bull and won't work to save my
own butt, or if it's all that needs to be done to get these alerts
centralized.  Like I said, I haven't tried it.  If anyone has any comments
on this (particularly if you work actively on the snort project, *nudge,
nudge*) and if I'm walking in the right direction or not, I (and most likely
Jason) would appreciate it greatly!


Mike Cloppert

ps-
I just realized that one thing can't be overlooked in this solution: the
signature ID's & such.  i'm not sure if these will vary between systems or
not.  If they do, there will need to be some way of getting this data back
and sorting it out as well, and may prevent this solution from being
tenable.

-----Original Message-----
From: Jason Haar [mailto:Jason.Haar () trimble co nz]
Sent: Tuesday, December 17, 2002 6:55 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Any HOWTO for merging separate snort IDS's into
central DB?

For network protection we're running snort on separate boxes 
with local
MySQL databases. However, once a month (say) I'd like to pull 
those SQL logs
together into a "meta-DB" so that we can look at the IDS 
network as a whole.

Obviously snort on these standalone systems are re-using the 
same id numbers
for different things, so I was wondering if anyone had 
written a script that
could allow such separate databases to be pulled together as 
a consistent
offering. All our snort systems run the same release and same 
schema, so
there data is internally consistent.

Thanks

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility 
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.NET email is sponsored by:  The Best Geek Holiday Gifts!
Time is running out!  Thinkgeek.com has the coolest gifts for
your favorite geek.   Let your fingers do the typing.   Visit Now.
T H I N K G E E K . C O M        http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: Any HOWTO for merging separate snort IDS's into central DB? Cloppert, Michael (Dec 20)
- <Possible follow-ups>
- RE: Any HOWTO for merging separate snort IDS's into central DB? Benjamin Hippler (Dec 21)
  - Re: Any HOWTO for merging separate snort IDS's into central DB? Jason Haar (Dec 21)
  - Re: Any HOWTO for merging separate snort IDS's into central DB? Andrea Barisani (Dec 21)
- RE: Any HOWTO for merging separate snort IDS's into central DB? Cloppert, Michael (Dec 24)