[Snort-users] Basic questions about snort

Paul Asadoorian paul.com at ...530...
Sun Apr 15 10:05:04 EDT 2001


Alerts can be sent to syslog, which will report back to the central syslog
server.  I use logtool to convert the syslog to html, and a homegrown
cgi/perl web interface to search the logs, and break them up by host.

ACIS is for snort only right now as far as I know.  I don't do too much with
regards to Cisco logs, except log em to the syslog server.  I haven't been
able to find any good tools that will assist the analyst with multiple
syslog formats (i.e. portsentry, Linux, cisco, snort, etc...).  That would
be a good project....

Paul
----- Original Message -----
From: Jason Lewis <jlewis at ...1831...>
To: 'Paul Asadoorian' <paul.com at ...530...>;
<snort-users at lists.sourceforge.net>
Sent: Saturday, April 14, 2001 11:58 PM
Subject: RE: [Snort-users] Basic questions about snort


> That is exactly the kind of thing I am looking for.
>
> What are you planning to do about alerting?
>
> Can ACID handle Cisco logs?  I have been using fwlogwatch to parse cisco
> logs for viewing on the web.  I use swatch to alert me to logged attacks.
>
> I haven't had a chance to look at Snorticus, but I was thinking of using
it
> in a similar fashion.
>
> Thanks for the feedback,
>
> jas
>
> -----Original Message-----
> From: Paul Asadoorian [mailto:paul.com at ...530...]
> Sent: Sunday, April 15, 2001 12:00 AM
> To: jlewis at ...1831...; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Basic questions about snort
>
>
> I am working on configuring snort in my organization.  We have many remote
> sites, some of which use an Internet VPN to connect back to the main
office.
> These sites will have a snort intrusion detection system.  Corporate plans
> to have at least 3 external sensors, and 3 internal sensors.  With all
these
> sensors I had to come up with a solution that wouldn't drive me nuts
trying
> to crunch all that data.  Here's what I am working on:
>
> Sensor Systems:
> PC PIII 500Mhz+, 128mb RAM, 20gig disk
> OpenBSD 2.8
> Snort-1.7beta8
> Customized Snorticus Scripts
> OpenSSH 2.3
>
> Analysis Database System:
> Sun Enterprise 450 Dual 440Mhz processors, 512mb RAM, 40gig
> Solaris 8
> OpenSSH 2.3
> Snort-1.7beta8
> Postgres (Latest version)
> Acid/PHP (Latest versions)
> Apache 1.3.14
> Customized Snorticus Scripts
>
>
> Basically we place the sensors where ever we need them on the network.
The
> sensors run snort and log to tcpdump binary format and create a tar.gz
file
> every hour.  The database ssh's to the sensor every hour and retrieves the
> tarball.  The database then post-processes the data, and using the
database
> output plugin, writes it to postgres.  The data is then analyzed using
Acid
> (with Apache and PHP as the underlying technologies).  The sensors on the
> internet and the database server grab the GMT time and date from
> tick.usno.navy.mil, and the internal sensors will grab the data from the
> database server.  Sensors will also grab syslog from routers and firewalls
> on their respective networks and report back to a central syslog server.
>
> This is kinds what I am thinking, hope it helps.  Anyone have any
> suggestions, comments?  Love to hear your opinion.... If I get this going,
> and it works well, I plan to write a paper on how it all works and how to
> set it up in your own environment.
>
> Paul Asadoorian
> Internet Security Engineer
> ----- Original Message -----
> From: Jason Lewis <jlewis at ...1831...>
> To: <snort-users at lists.sourceforge.net>
> Sent: Saturday, April 14, 2001 8:51 PM
> Subject: [Snort-users] Basic questions about snort
>
>
> > First, if there is a FAQ that covers my questions could someone point me
> to
> > it?  I haven't been able to find one.
> >
> > Has anyone deployed snort in an enterprise class network?  If so, where
> did
> > you go to help you get things working?  I am looking to roll snort out
and
> I
> > don't want to reinvent the wheel.  If there isn't one, I will document
my
> > experience.
> >
> > Does snort get along with ipchains?  If I run snort on the same
interface
> > that I am running ipchains rules on, will it be able to detect attacks?
I
> > guess the real question is, do the ipchains rules run before snort has a
> > chance to see them?
> >
> > Jason
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>





More information about the Snort-users mailing list