Snort mailing list archives
Re: Snortsam log to database and correlation with snortdb
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 21 Apr 2004 09:55:46 -0500
On Wed, 2004-04-21 at 05:24, Chan Kien Eng wrote:
Did anyone has done this before: logging the snortsam logs to a database and do some sort of co-relation between it?
Never thought of it since it is the Snort alert that causes Snortsam to block. What do you need to correlate?
The idea is to answer the question: How do I know that when the signatures is triggered, snortsam is actually doing the firewall blocking? Of course we can do it manually by comparing the snortsam logs and the snort logs from ACID etc, but this is too manual and its time consuming. I'll trying to look something that can make life easier :)
Email plugin perhaps? I'll be adding a syslog plugin to Snortsam sometime this summer. Perhaps that can be used. (You could even force that into a database with syslog-ng or similar). I'm not sure that Snortsam really needs a SQL plugin. Seems too redundant. Regards, Frank -- Warning at the Gates of Bill: Abandon hope, all ye who press <ENTER> here...
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Snortsam log to database and correlation with snortdb Chan Kien Eng (Apr 21)
- Re: Snortsam log to database and correlation with snortdb Frank Knobbe (Apr 21)
- <Possible follow-ups>
- RE: Snortsam log to database and correlation with snortdb Che Wan Zaharudin (Apr 22)