[Snort-devel] Snort, ACID and host intrusion detection integration

Roman Danyliw roman at ...49...
Thu Nov 2 09:42:22 EST 2000

Hi Tom,

> I pulled down snort-1.7-beta2 and ACID 0.9.4 yesterday after using 1.6.2

I highly recommend you upgrade ACID to version 0.9.5b7.  I suspect you
will like many of the new features.


> thing really stands out... given a suitable data model the DB which
> snort
> logs to could easily be general enough to handle other forms of alert

You're absolutely correct.  While Jed (the original author of the Snort DB
plug-in) can speak on this topic with more authority, it is a major goal
for this DB schema to be generalized to support more than Snort

> To this end I've attached a very quick entity relationship diagram for

One minor thing I would note is that there exists a 1:M relationship
between 'tcphdr' and 'opt'.

You may also want to check out some notes on the future of the DB
format at http://incident.org/snortdb/

The two upcoming changes are removing support for IP addresses stored as
four distinct octets, as well as normalizing the storage of signature in a
seperate table.

> 3. Have a look at the XML spec and see if it can support a more general
> structure, having looked it over this morning it seems to be more
> network specific than the database structure so I'm not sure.

Again, there is a hopes that the XML DTD will also be generalized to
support data other than Snort.

There is an ongoing project called Air/CERT,
http://www.cert.org/kb/aircert which I believe may have very complimentary
goals.  It houses much of Jed's and my own work with Snort (XML-plugin,
ACID, ...)

> Then I'd like to look at getting a handler (i.e. minimal TCP
> listener/decoder) for the XML interface up and running and perhaps

I can probably save you the trouble.  As part of the Air/CERT project I
have written one of those "minimal TCP listener decoders" already.  This 
listener/server is actually an Apache module.  It accepts an XML stream
over SSL generated by snort (see the XML plugin) and writes into a MySQL
database.  I am currently writing documentation for it and doing
portability testing.


More information about the Snort-devel mailing list