[Snort-users] A Report - Back-Up of Snort Database....!!

kamesh_rajaram at ...4543... kamesh_rajaram at ...4543...
Mon Feb 25 01:15:02 EST 2002


Hi Snort & DEMARC Users...!!
       This is with reference to obtaining an abstract(back-up) of the information available in the Snort NIDS database. Where there is heavy packet logging, a big database will reduce performance, when we are going to query it for very old information. My idea is to have the entire information of the packets only for a week or 10 days in the database. Packets older than that will be deleted. And, i am planning to develop a report generation tool that can retrieve:

The Unique Events and its total.
Number of attempts in each event type.
Total number of intrusions from every IP (say for every 6 hrs)
Total intrusions of a particular signature from every IP
And things like that....!!

All these details will be required to be stored periodically, Viz., on per hour basis, or every six hours, or every day, week or month. This will help in analysing the pattern of alerts, attacks...and who is repeatedly trying it..etc. The DEMARC console gives some of these details like the Top 6 IPs, Unique Events , etc. But, in my case, there is a need to send a report of it with different details periodically. That is the reason for the need for a report generation tool. For the older info, i am planning to create a new database, query from the snort database, and add the bare minimal information that is absolutely necessary to the new one...!! Is there such a scheme already in use..?? I seek ur giudance & lead in this regard.....

Bye,
Kamesh.
-------------------------------------------------
This mail helped a tree grow. Know more at http://green.sify.com

Take the shortest route to success! 
Click here to know how http://education.sify.com





More information about the Snort-users mailing list