[Snort-users] Data Collection Help (fwd)

Andrea Barisani lcars at ...96...
Wed Nov 21 13:20:04 EST 2001


---------- Forwarded message ----------
Date: Wed, 21 Nov 2001 17:18:40 +0100 (CET)
From: Andrea Barisani <lcars at ...96...>
To: Lance Spitzner <lance at ...2024...>
Subject: Re: [Snort-users] Data Collection Help

On Wed, 21 Nov 2001, Lance Spitzner wrote:

> The Honeynet Project is beginning to collect data from various
> distributed Honeynets.  One of our primary weapons for data capture
> is Snort.  Question, what are some of the best practices for
> data collection for distributed Snort sensors?  We are currently
> doing the following, any additional ideas GREATLY appreciated.
> 
>  - MySQL backend for Snort alerts, ACID interface
>  - Daily copy of Snort binary log files
> 
> If you have any more recommendations on what Snort data should
> be collected, in what format, or how it can be organized, that
> would be greatly appreciated.  For example, are there any options
> besides ACID?
> 

Hi Lance!

My experience is that the best way for logging snort sensors data is the 
following:

On the sensor

1) standard snort process with full alert logging and tcpdump style binary 
logging of traffic.

2) every n (usually 12) hours a snort process parse the binary file (wich
contains all the packets that have triggered an alert with the ruleset
specified for 1) ) and log the alerts with the previous ruleset or, 
reccomended, a more restrictive one in a central MySQL db accessible with 
ACID.

The advantages are:

1) the sensor is not always logging to a database in order to increase 
overall speed.

2) we can define a more restrictive ruleset for the db logging, so we can
avoid db flooding with false alarm by checking first sensor alert logs. We
can also have different rulesets in order to put the collected data in
different logical databases.

3) we can rebuild the database every time we want if we archive the binary 
log files.

4) an eventual ssl-encapsulation of MySQL traffic between the sensor and 
the central database is possible and it is not so exhausting. 

What do you think?

Hope that helps.

Bye

------------------------------------------------------------
INFIS Network Administrator & Security Officer
Department of Physics       - University of Trieste
lcars at ...96... - PGP Key 0x8E21FE82
------------------------------------------------------------
"How would you know I'm mad?" said Alice.
"You must be,'said the Cat,'or you wouldn't have come here."
------------------------------------------------------------







More information about the Snort-users mailing list