[Snort-users] logging portscans to database

Erik Fichtner emf at ...367...
Tue Mar 13 13:54:33 EST 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Mar 13, 2001 at 08:50:11AM -0700, Phil Wood wrote:
> My two cents is, think about it real careful.  Are you sure you want 20
> million bytes of scan packets a day translated to hex and shipped over an
> ethernet to your sql box?


Well, yeah. That's why I have a database, so that I don't have to go grovelling
across a couple dozen sensor hosts just to pick up data, and then collate it 
all after the fact, and maybe reconstruct this data into useful entries 
in my database anyway.   


Besides, I didn't necessarily suggest "ship it across the net to my sql box"..
I suggested that the data be handled like all other data inside snort and its 
plugins and be properly fed into CallAlertFuncs() and CallLogFuncs() so that
the appropriate log&&alert behaviors for the particular sensor will be 
executed..  log_database is just one of many ways to deal with data. 


- -- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iEUEARECAAYFAjqubOkACgkQQ7EzrewLMS1CbgCVGt2OQqMQuloBoaxBBe9EH9bP
OwCg05b1DfuELyJ8V3eFbzKRa3vQuVY=
=XlLH
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list