[Snort-users] snort and ACID
Steve.Hutchins at ...277...
Tue Jan 30 16:25:23 EST 2001
How would you trigger the java servlets?
If no one else offers any code, I was planning on writing a rules based
engine in perl,
but I haven't even started to think about the design yet. Whatever I do, I
snort rule needs some approx categorisation/priority against it, which could
plucked out of the table. It's still subjective as various things would have
to be considered
before raising a callout.
From: Steve Halligan [mailto:agent33 at ...187...]
Sent: Wednesday, 31 January 2001 4:41
To: 'Steve Hutchins'; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] snort and ACID
Once the issue of the sensor logging hanging is resolved, another angle to
approach this from would be to use java servlets to do ongoing "real time"
monitoring and triggering of reports/classifcation. We have been talking
about doing just this, but at this point no work has been done on this
front. This would eliminate the need for stored database procedures,
allowing "real time" functionality even with mysql. The base-line mode
would just be a Count * from events looking for a delta. This is a really
low impact query. If there is a delta, any number of things could occur.
> -----Original Message-----
> From: Steve Hutchins [ mailto:Steve.Hutchins at ...277...
<mailto:Steve.Hutchins at ...277...> ]
> Sent: Monday, January 29, 2001 9:15 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] snort and ACID
> I am setting up several snort sensors reporting to an
> ACID console. These will be monitored 24/7
> In order to reduce the number of callouts (I already
> have the sensor noise down as far as I want to go),I
> need to implement some intelligence on the ACID
> console that will do the following:
> - classify the event (high or low)
> - be triggered (somehow) by event update.
> - at predefined times analyse the received events and
> do some pattern matching and produce a report.
> Before I jump into this, has anyone done something like
> this already?
> My ACID console is using mysql (because I've used it b4
> and it's free), but from reading the latest notes on it,
> it doesn't support triggers or stored procedures, so I guess
> I might have to go for some other D/B (anything but Oracle!).
> Another requirement I have, is due to the possible number of
> sensors (might be up to 36 across New Zealand), the management
> of the snort policy (rules file), will need tailoring and
> dispensing from a single point (hey why not use the ACID console?)
> Has anyone been down this track of automating policy versions
> across multiple sensors?
> Steve Hutchins
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users