Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Tagging into the DB and back out again

From: "Sean Wheeler" <s.wheeler () netprotect ch>
Date: Fri, 30 May 2003 20:39:54 +0200
Hi,


Creating a rule using tagging and logging to DB works great. Except that
their is a unique id for each tagged packet (example 20 packets logged into
the DB)

One of those packets aka ID's refer to the starting alert and others are the
tagged packets.

So when viewing the results from a frontend :
Traditionally each unique ID refers to a unique event....but in the case of
tagging 20 unique ID's refer to a single instance of an alert being
triggered, with 20 following packets.

So getting the info into the DB is not a problem, it's reading it back out
into a usable/readable and user followable manner.

I would like to indicate via the frontend :


1 instance of "WOOP !! Alert for HTTP Tagging custom alert" and not 20
instances of "WOOP !!Alert......"

When clicking on the above example(1 instance of "WOOP"), a story of the
next 20 following packets is displayed, so that you can follow the
conversation ( whole point behind tagging)

Issues :

Each tagged packet has a Unique ID.

tagging can be done over X count in seconds OR X count in packets with
either following the session or the host (direction flag) tag type

If you have the rules parseable you could look at how the tagging was
constructed and then strip out the relevant packets, which comprise a tagged
alert.

But let's assume you used the tag type host, if you tried to assemble the 20
packet tagged alert, you could end up with a mixed up tagged story if that
host was running multiple simultaneous sessions which were logged to the DB.

--
Bottom line is my little brain is going around and around playing the
whatifhowabout.

Architecture :

Snort 2 logging to a Mysql DB.

Request :

If anyone has ideas regarding the reassembly of tagged sessions from a DB
and the differentiating of a tagged session from a traditional session, I
would love to hear your ideas, as my Friday evening slightly toasted brain
is taking strain on finding a reliable manner in which to do this.

regards

Sean












-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: