[Snort-devel] Snort, ACID and host intrusion detection integration
roman at ...49...
Thu Nov 2 09:42:22 EST 2000
> I pulled down snort-1.7-beta2 and ACID 0.9.4 yesterday after using 1.6.2
I highly recommend you upgrade ACID to version 0.9.5b7. I suspect you
will like many of the new features.
> thing really stands out... given a suitable data model the DB which
> logs to could easily be general enough to handle other forms of alert
You're absolutely correct. While Jed (the original author of the Snort DB
plug-in) can speak on this topic with more authority, it is a major goal
for this DB schema to be generalized to support more than Snort
> To this end I've attached a very quick entity relationship diagram for
One minor thing I would note is that there exists a 1:M relationship
between 'tcphdr' and 'opt'.
You may also want to check out some notes on the future of the DB
format at http://incident.org/snortdb/
The two upcoming changes are removing support for IP addresses stored as
four distinct octets, as well as normalizing the storage of signature in a
> 3. Have a look at the XML spec and see if it can support a more general
> structure, having looked it over this morning it seems to be more
> network specific than the database structure so I'm not sure.
Again, there is a hopes that the XML DTD will also be generalized to
support data other than Snort.
There is an ongoing project called Air/CERT,
http://www.cert.org/kb/aircert which I believe may have very complimentary
goals. It houses much of Jed's and my own work with Snort (XML-plugin,
> Then I'd like to look at getting a handler (i.e. minimal TCP
> listener/decoder) for the XML interface up and running and perhaps
I can probably save you the trouble. As part of the Air/CERT project I
have written one of those "minimal TCP listener decoders" already. This
listener/server is actually an Apache module. It accepts an XML stream
over SSL generated by snort (see the XML plugin) and writes into a MySQL
database. I am currently writing documentation for it and doing
More information about the Snort-devel