[Snort-users] Any HOWTO for merging separate snort IDS's into central DB?

Cloppert, Michael Michael.Cloppert at ...5884...
Fri Dec 20 13:11:04 EST 2002


I'm also looking for something to do this.  I have a rough idea of what is
going to be involved, but I have not looked into doing it in any depth so
far.  What I'm thinking about doing is, given sensors X and Y reporting back
to database A: have a cronjob on {X,Y} that kicks off a script every n
minutes (or days, whatever).  The script will basically export all event and
related data to A except the sensor ID.  The sensor ID (sid) for each event
would be manufactured at the time of export to match whatever is in the
"sensor" table on the central database corresponding to the sensor exporting
the data.  For example, if doing a SQL query of "select sid,hostname from
sensor" on A gives me:

| sid | hostname                              |
|   1 | localhost                             |
|   2 | X                                     |
|   3 | Y                                     |

then when I export from X, I will need to change all the sid's in my events
to "2", and "3" from server Y.  This neglects other fields in the "sensor"
table that are necessary for normal snort operation, such as the "last_cid"
field.  This would be a massive problem, IF you had a snort sensor running
on A that tried to add events with a sid of 2 or 3.  Since we're just
talking about looking at the data, and are adding the data ourselves, we
should be able to get away with this.

I don't know if this is a load of cock and bull and won't work to save my
own butt, or if it's all that needs to be done to get these alerts
centralized.  Like I said, I haven't tried it.  If anyone has any comments
on this (particularly if you work actively on the snort project, *nudge,
nudge*) and if I'm walking in the right direction or not, I (and most likely
Jason) would appreciate it greatly!

Mike Cloppert

I just realized that one thing can't be overlooked in this solution: the
signature ID's & such.  i'm not sure if these will vary between systems or
not.  If they do, there will need to be some way of getting this data back
and sorting it out as well, and may prevent this solution from being

> -----Original Message-----
> From: Jason Haar [mailto:Jason.Haar at ...294...]
> Sent: Tuesday, December 17, 2002 6:55 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Any HOWTO for merging separate snort IDS's into
> central DB?
> For network protection we're running snort on separate boxes 
> with local
> MySQL databases. However, once a month (say) I'd like to pull 
> those SQL logs
> together into a "meta-DB" so that we can look at the IDS 
> network as a whole.
> Obviously snort on these standalone systems are re-using the 
> same id numbers
> for different things, so I was wondering if anyone had 
> written a script that
> could allow such separate databases to be pulled together as 
> a consistent
> offering. All our snort systems run the same release and same 
> schema, so
> there data is internally consistent.
> Thanks
> -- 
> Cheers
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> -------------------------------------------------------
> This sf.net email is sponsored by:
> With Great Power, Comes Great Responsibility 
> Learn to use your power at OSDN's High Performance Computing Channel
> http://hpc.devchannel.org/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list