[Snort-devel] Snort, ACID and host intrusion detection integration

Tom Whipp twhipp at ...108...
Thu Nov 2 06:54:55 EST 2000


	apologies if I'm going over ground which you have already talked to death
but I only subscribed to this list this morning and there is only a single
message in the archives (which can't be right).

I pulled down snort-1.7-beta2 and ACID 0.9.4 yesterday after using 1.6.2 for
about the last 4 months <insert obligatory stuff is great here> but one
thing really stands out... given a suitable data model the DB which snort
logs to could easily be general enough to handle other forms of alert (such
as parsed output from SWATCH, Tripwire or any other host based IDS).

To this end I've attached a very quick entity relationship diagram for what
I believe the *current* structure of the snort database is... if there are
any holes in it I'd really appreciate some feedback as I'd like to make some
suggestions for extensions over the next few days.

Principally I'm thinking along the lines of:

1. Expand the sensor table to be more general (e.g. include a ID software
name and perhaps a configuration file version number)

2. Look at how host based events could be logged, I'd have thought a good
start would be to simply create an iphdr containing only a dest IP although
we could look at creating a host table which might incorporate fields such
as user_id or file... not sure need to think that through a bit more.

3. Have a look at the XML spec and see if it can support a more general
structure, having looked it over this morning it seems to be more network
specific than the database structure so I'm not sure.

Then I'd like to look at getting a handler (i.e. minimal TCP
listener/decoder) for the XML interface up and running and perhaps creating
a perl module or C library to allow other ID systems to message the DB.  My
gut feel is that this integration work is outside of the main thrust of
Snort so I won't talk about it here.

The main thing I want to get right is the database structure, I if we can
put some simple extensions it I don't think it will affect snort at all and
provided its logical I'd have thought it would fit cleanly into the analysis
as well... but doing that cleanly really requires a good understanding of
the entities and so if I've made any mistakes in the attached diagram I'd
appreciate someone letting my know before I make a bigger fool of myself....


-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort-db-layout.jpg
Type: image/jpeg
Size: 28991 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20001102/5ff01c3d/attachment.jpg>

More information about the Snort-devel mailing list