Re: Snortsam log to database and correlation with snortdb

[Frank Knobbe <frank () knobbe us>]

On Wed, 2004-04-21 at 05:24, Chan Kien Eng wrote:
> Did anyone has done this before: logging the snortsam logs to a database
> and do some sort of co-relation between it? 

Never thought of it since it is the Snort alert that causes Snortsam to
block. What do you need to correlate?

> The idea is to answer the question: How do I know that when the
> signatures is triggered, snortsam is actually doing the firewall
> blocking? Of course we can do it manually by comparing the snortsam logs
> and the snort logs from ACID etc, but this is too manual and its time
> consuming. I'll trying to look something that can make life easier :)

Email plugin perhaps?

I'll be adding a syslog plugin to Snortsam sometime this summer. Perhaps
that can be used. (You could even force that into a database with
syslog-ng or similar).

I'm not sure that Snortsam really needs a SQL plugin. Seems too
redundant.

Regards,
Frank

-- 
Warning at the Gates of Bill:  
Abandon hope, all ye who press <ENTER> here...

Attachment: signature.asc
Description: This is a digitally signed message part