[Snort-users] ACID 0.9.5 Released

Austad, Jay austad at ...432...
Fri Jan 19 15:13:40 EST 2001


> I totally agree Jeff, ACID kicks some serious ass and is well 
> worth a look at.
> 
> Your comment on alerting on DB INSERTS made me laugh and 
> reminded me of the time
> I had snort trigger (on four different machines) from 
> downloading a new rule
> update!

To stop it from triggering on DB INSERTS, just pipe your mysql connection
over SSH.  :)





> 
> --Bill
> 
> 
> 
> 
> From: "Oxenreider, Jeff" <jox at ...963...> on 01/19/2001 11:42 AM
> 
> To:   Bill Marquette/National/Hewitt Associates at ...1126... Associates NA
>       Guillaume Arcas <guillaume at ...1168...>
> cc:   Roman Danyliw <roman at ...438...>
>       snort-users at lists.sourceforge.net
> Client:
> Subject:  RE: [Snort-users] ACID 0.9.5 Released
> 
> 
> 
> I just set up Snort 1.7 with MySQL logging and ACID.  I 
> currently have 3
> deployed sensors with plans for at least 4 more in the 
> immediate future, and
> hopefully another 5 or so after that, all centrally logging 
> to the MySQL
> database.
> 
> I must say ACID is a huge help to me and my staff when it 
> comes to traffic
> analysis of Snort alerts and management loves it because they 
> can jump up
> and see a snapshot of how things are going without having to 
> bug me directly
> with the questions.
> 
> Some of the possible issues that I've come across with this 
> distributed
> environment would be duplicate alerts due to infrastructure.  
> For example, I
> have a subnet in another building which is connected to this 
> one over an OC3
> link.  Traffic outbound to the internet actually passes 
> through all 3 of my
> snort detectors on it's way out, and that can sometime 
> generate an excessive
> number of alerts.  Also, since some rules are simply text 
> string searches,
> I've found that an alert from an external sensor, into the 
> database (which
> has another sensor on that subnet) can sometimes generate 
> false positives
> because the payload is passed to the SQL DB, and therefore 
> seen as a valid
> alert.
> 
> One thing that may be useful is a way to set a host on full 
> "ignore" like
> the portscan ignore feature for the portscan, it'd be nice to 
> have a full
> blown ignore option for snort, so that my external sensors 
> don't trip alarms
> when reporting to the mothership.
> 
> If you haven't tried ACID, it really is amazing and worth 
> your time.  The
> 0.9.5 release has some very nice functionality to it and it's made my
> analysis a lot more fun too.
> 
> 
> 
> Jeffrey A. Oxenreider
> Network Security Analyst
> Safelite Glass Corp
> 614-761-4836
> 
> 
> -----Original Message-----
> From: Bill Marquette [mailto:wlmarque at ...8...]
> Sent: Friday, January 19, 2001 9:31 AM
> To: Guillaume Arcas
> Cc: Roman Danyliw; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] ACID 0.9.5 Released
> 
> 
> 
> 
> Guillaume Arcas <guillaume at ...1168...> on 01/19/2001 02:18 AM wrote:
> 
> >I take your message as an opportunity to ask if there is 
> space in this
> >mailing-list for discussion about daily usage of  ACID. I 
> use it since a
> month
> >and surely am one of your most enthoustiastic fan(s) in France !! :-)
> 
> It's snort related and unless Marty has issues or the threads 
> get too far
> off-topic I don't see why we shouldn't be able to discuss usage :)
> 
> >More seriously, I would like to expand the usage of ACID 
> sensors to build a
> >Distributed IDS for a large network (with a lot of that f*!#@* things
> called
> >switches !! :-)).
> 
> >Does anyone here have some experience of that ?
> 
> Not as of yet.  I'm working on building a rather large snort/ACID
> infrastructure
> right now.  I'd be more than happy to pass issues I've had 
> back and forth
> with
> you via private email (no sense in letting the lurkers out 
> there see too
> much
> internal information).  I'm actually quite interested in your 
> usage of ACID;
> I'm
> curious to see if our corporate needs are similar in vein to 
> yours and how
> large
> a network you are running and the number of sensors you are 
> expecting to
> have at
> the end of deployment.
> 
> --Bill
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> 
> 




More information about the Snort-users mailing list