[Snort-users] process models for handling events

Wynn Fenwick wfenwick at ...2714...
Tue Feb 5 16:40:08 EST 2002


Hi Folks,

I'd like to solicit some opinions on the analysis of process models
around snort and multiple databases. Currently my client uses an
incoming database which the sensors log to and the events are processed
as they come in. There are many false positives, but we chose not to
PASS them because in aggregate they could indicate an incident.

For example observation of policy violations which are random events are
not incidents, but if we observe them happening over time on a regular
basis, the pattern is established and it becomes an incident. We use a
single archive database to keep all of these events for this reason.

However, when we want to generate monthly or weekly metrics to keep the
PHB's sure that the system is worth the funding, we have a problem. ACID
doesn't allow us to create reports "except the following signatures" or
at least I can't figure out how to besides with NOT'ed TCP/IP/ICMP/
content filters. I don't want a third database if I can help it because
its SOOOOooo slow to move events to a third "incidents-only" database.

Lastly, I'd like to be able to "cache" or bookmark certain queries for
reports that we commonly run on a weekly or monthly basis (hell, even
daily if it comes cheap). Does anyone else do anything like this? I'd
like to know before I go about trying my hand at PHP and SQL - there's
lots of good source to start from thanks to Roman's excellent work.

W





More information about the Snort-users mailing list