[Snort-users] snort and ACID

A.L.Lambert alambert at ...387...
Wed Jan 31 00:41:38 EST 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> > Yes, what I would ideally like to be able to do,
> > is to have all the snort sensors just log to syslog,
> > across the net to an ACID console. Then run a script
> > on the console looking for syslog alerts and then updating
> > the database. But the data logged to syslog is 'slim'
> > compared with what the db plugin provides.
> 
> I think you're asking too much of syslog there. It's meant for
> one-line messages - the data quality you're after covers multiple
> lines. Unless you hack snort to do it's expanded syslog reports as one
> big HEX line - I don't think it'll do what you want ;-)

	I think the packet-dump idea is definately overkill in a syslog
environment, but I for one would like to see a bit more info in the syslog
alert's (packet header info to be specific).  Just a thought.

	--A.L.Lambert

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: PGPEnvelope - http://www.bigfoot.com/~ftobin/resources.html

iD8DBQE6d6WVf3TKK1I/U+oRAhSWAJ9PbK2NzP8ftFkvRhLKR1IkEzzptgCglaA6
0n68C9dpZqu9iAy7jNNQ2Ys=
=wxt4
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list