[Snort-users] logging portscans to database
emf at ...367...
Tue Mar 13 13:54:33 EST 2001
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, Mar 13, 2001 at 08:50:11AM -0700, Phil Wood wrote:
> My two cents is, think about it real careful. Are you sure you want 20
> million bytes of scan packets a day translated to hex and shipped over an
> ethernet to your sql box?
Well, yeah. That's why I have a database, so that I don't have to go grovelling
across a couple dozen sensor hosts just to pick up data, and then collate it
all after the fact, and maybe reconstruct this data into useful entries
in my database anyway.
Besides, I didn't necessarily suggest "ship it across the net to my sql box"..
I suggested that the data be handled like all other data inside snort and its
plugins and be properly fed into CallAlertFuncs() and CallLogFuncs() so that
the appropriate log&&alert behaviors for the particular sensor will be
executed.. log_database is just one of many ways to deal with data.
Security Administrator, ServerVault, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the Snort-users