Snort mailing list archives

RE: snort+mysql+acid

From: "Scott, Joshua" <Joshua.Scott () jacobs com>
Date: Tue, 4 Feb 2003 17:56:47 -0500

I've done something similar using a Perl script.  The script basically looks
for various signatures that I specify and sends an email if there are any
matches.  I've set it to run every 10 minutes so it's not "instant"
notification but it is acceptable for now.

It may be possible to have instant notification by way of database triggers
or a similar function in MySQL.  I'm in no way a database person so I don't
even know if MySQL supports triggers.  

I'd also like to hear what other people have done for email alerting with
ACID/SnortCenter.  

Joshua Scott
Security Systems Analyst, CISSP

-----Original Message-----
From: Alan McCarty [mailto:amccarty () ecornell com] 
Sent: Tuesday, February 04, 2003 2:02 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] snort+mysql+acid


Hi all-
I'm running well so far with a distributed snort setup.  I have a big 
tank of a server running mysql/acid/snortcenter, with smaller snort 
sensors on various remote subnets.
I'd like to know if anyone has come up with a simple solution to 
centralized instant notification of alerts, other than logwatchers, 
etc. I have read posts of people hacking code to replace smb_client 
messaging with sendmail commands, using syslog, snmp trapping, etc.  
However, these notifications come from the sensors, not the central 
server. I realize I can forward this information to our central server 
and then on from there, but the information is already on the server, 
stored in the mysql database.
I imagine this has been considered, but is there a good reason why it 
hasn't been implemented in any way?  It seems like an elegant add-on to 
what is so far a very solid IDS solution.

Thanks for any input.
-Alan



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


==============================================================================
NOTICE - This communication may contain confidential and privileged 
information that is for the sole use of the intended recipient. Any viewing,
copying or distribution of, or reliance on this message by unintended
recipients is strictly prohibited. If you have received this message in
error, please notify us immediately by replying to the message and deleting
it from your computer.

==============================================================================

Current thread:

snort+mysql+acid Alan McCarty (Feb 04)
- Re: snort+mysql+acid Dustin Decker (Feb 04)
- <Possible follow-ups>
- RE: snort+mysql+acid Scott, Joshua (Feb 04)
  - MySql and Snort Cilin (Feb 05)
    - Re: MySql and Snort Anne Carasik (Feb 05)
    - Re: MySql and Snort Cilin (Feb 07)