Snort mailing list archives
RE: Any HOWTO for merging separate snort IDS's into central DB?
From: "Cloppert, Michael" <Michael.Cloppert () 53 com>
Date: Fri, 20 Dec 2002 16:10:27 -0500
Jason, I'm also looking for something to do this. I have a rough idea of what is going to be involved, but I have not looked into doing it in any depth so far. What I'm thinking about doing is, given sensors X and Y reporting back to database A: have a cronjob on {X,Y} that kicks off a script every n minutes (or days, whatever). The script will basically export all event and related data to A except the sensor ID. The sensor ID (sid) for each event would be manufactured at the time of export to match whatever is in the "sensor" table on the central database corresponding to the sensor exporting the data. For example, if doing a SQL query of "select sid,hostname from sensor" on A gives me: +-----+---------------------------------------+ | sid | hostname | +-----+---------------------------------------+ | 1 | localhost | | 2 | X | | 3 | Y | +-----+---------------------------------------+ then when I export from X, I will need to change all the sid's in my events to "2", and "3" from server Y. This neglects other fields in the "sensor" table that are necessary for normal snort operation, such as the "last_cid" field. This would be a massive problem, IF you had a snort sensor running on A that tried to add events with a sid of 2 or 3. Since we're just talking about looking at the data, and are adding the data ourselves, we should be able to get away with this. I don't know if this is a load of cock and bull and won't work to save my own butt, or if it's all that needs to be done to get these alerts centralized. Like I said, I haven't tried it. If anyone has any comments on this (particularly if you work actively on the snort project, *nudge, nudge*) and if I'm walking in the right direction or not, I (and most likely Jason) would appreciate it greatly! Mike Cloppert ps- I just realized that one thing can't be overlooked in this solution: the signature ID's & such. i'm not sure if these will vary between systems or not. If they do, there will need to be some way of getting this data back and sorting it out as well, and may prevent this solution from being tenable.
-----Original Message----- From: Jason Haar [mailto:Jason.Haar () trimble co nz] Sent: Tuesday, December 17, 2002 6:55 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Any HOWTO for merging separate snort IDS's into central DB? For network protection we're running snort on separate boxes with local MySQL databases. However, once a month (say) I'd like to pull those SQL logs together into a "meta-DB" so that we can look at the IDS network as a whole. Obviously snort on these standalone systems are re-using the same id numbers for different things, so I was wondering if anyone had written a script that could allow such separate databases to be pulled together as a consistent offering. All our snort systems run the same release and same schema, so there data is internally consistent. Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.NET email is sponsored by: The Best Geek Holiday Gifts! Time is running out! Thinkgeek.com has the coolest gifts for your favorite geek. Let your fingers do the typing. Visit Now. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Any HOWTO for merging separate snort IDS's into central DB? Cloppert, Michael (Dec 20)
- <Possible follow-ups>
- RE: Any HOWTO for merging separate snort IDS's into central DB? Benjamin Hippler (Dec 21)
- Re: Any HOWTO for merging separate snort IDS's into central DB? Jason Haar (Dec 21)
- Re: Any HOWTO for merging separate snort IDS's into central DB? Andrea Barisani (Dec 21)
- RE: Any HOWTO for merging separate snort IDS's into central DB? Cloppert, Michael (Dec 24)