[Snort-users] snort and ACID
alambert at ...387...
Wed Jan 31 00:41:38 EST 2001
-----BEGIN PGP SIGNED MESSAGE-----
> > Yes, what I would ideally like to be able to do,
> > is to have all the snort sensors just log to syslog,
> > across the net to an ACID console. Then run a script
> > on the console looking for syslog alerts and then updating
> > the database. But the data logged to syslog is 'slim'
> > compared with what the db plugin provides.
> I think you're asking too much of syslog there. It's meant for
> one-line messages - the data quality you're after covers multiple
> lines. Unless you hack snort to do it's expanded syslog reports as one
> big HEX line - I don't think it'll do what you want ;-)
I think the packet-dump idea is definately overkill in a syslog
environment, but I for one would like to see a bit more info in the syslog
alert's (packet header info to be specific). Just a thought.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: PGPEnvelope - http://www.bigfoot.com/~ftobin/resources.html
-----END PGP SIGNATURE-----
More information about the Snort-users