[Snort-users] ACID inputting from alerts?

Scott A. McIntyre scott at ...1050...
Wed May 9 16:30:33 EDT 2001


> Scott,
> 
> If you are logging to a database, the "full" alert functionality is 
> enabled by default by the database plug-in.  Look at the "detail"
> configuration parameter of the database plug-in documented
> in README.database.
> 

Nope, not logging to a database directly -- sorry, I should have been
more clear about this.  I have loads of sensors that I aggregate alert
from on a management station, which also performs rule management for
the sensors.

At the moment I am parsing transferred binary logs through a
"database.conf" that reads the rules for the appropriate sensor and
inputs the alerts into the database on the management station.  This
works fantastically but has the slight drawback of less than ideal
parsing in a time-critical fashion.  Since the only way I can think of
to rotate a snort binary log is to kill the daemon (running snort in a
daemon mode), which creates another file, unless I regularly do this
it's tough to make sure that I only input each alert event once.

With the text based alerts, which are also generated on the sensors,
it's easier to use logrotate or newsyslog or whatever to make sure that
the file is rotated on a regular basis, that it's not added to, and
thus, easy to import into ACID for analysis.

If snort could read the binary file back with a time search, it would
probably help (as in, yyyy/mm/dd.hh:mm:ss-yyyy/mm/dd.hh:mm:ss would only
match timestamped entires for that range); that may be in the works for
2.0, not sure.

I'm very open to other ways of solving this; the fundamental
architecture won't be changing (central mgt with remote sensors) though,
and I have very tight rules as to how the data gets to the management
station (so no logging to the mysql database from the sensors
directly)...

Thanks!

Scott





More information about the Snort-users mailing list