[Snort-users] Rule Managment Tool

roman at ...438... roman at ...438...
Thu May 10 09:44:45 EDT 2001


> Could be an extension to acid... Yes I know, it's just analysis. But it
> could be a cool feature. 

Indeed a nice management tool, but as you said not quite analysis.
I have no issues with including such functionality (and
intergrating the actual rules would be nice), but other features
are currently taking priority for now.  

> Another thing that could be interesting is to have a parser to include
> checkpoint FW1 & pix logs to snort-acid-db... 

There is definitely some prior art here.  Look at logsnorter
(in the Snort downloads section) by Jason Haar:

<quote>
This perl script scans syslog messages (typically in real-time),
picks up any "reject packet" messages generated by Ciscos or
Linux ipfw/ipchains and logs them into your central Snort SQL
database. This allows you to "expand"  the reach of snort 
without having to put snort out into wierd areas - like
in front of your perimeter router/firewall...
</quote>

cheers,
Roman

> 
> On Thu, 10 May 2001, Cedric Guillotin wrote:
> 
> > Since I found ACID very interesting to manage logs, I was wondering if I
> > could find a tool to manage rules to get a complete control over snort.
> > 
> > I'm looking for a tool with the following functionnalities:
> > 
> > 	- manage rule (store rules in db, sort rules, add, remove update)
> > 	- manage ruleset for each sensor (select active rules, deploy ruleset)
> > 
> > I've seen some scripts, but a frontend could be usefull.
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> 
> -- 
> ---
> Alexandre J.D. Dulaunoy  | "Engineering is the implementation of science;
> AD993-RIPE               | Politics is the implementation of faith".
> http://www.foo.be/       |                      Another usenet quote...
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






More information about the Snort-users mailing list