[Snort-users] Checkpoint FW1 Alerts to acid/Snort?

Fraser Hugh hugh_fraser at ...2804...
Wed Jan 9 09:22:04 EST 2002


If the alerts can be forwarded elsewhere using syslog, snmptraps, etc..,
they can be captured and inserted into the Snort database. The schema's well
documented, and I've done just that with the alerts from a commercial IDS
package (NFR) using snmptraps on a private lan. The technique works for
other sources of information as well... I collect alerts from arpwatch and
ipchains to add to the Snort database. Each source has a unique sid, and
ACID happily processes the alerts as if they came from Snort.

> -----Original Message-----
> From: Marc Dreher [mailto:MarcDreher at ...158...]
> Sent: Wednesday, January 09, 2002 7:28 AM
> To: Snort-users at lists.sourceforge.net
> Subject: [Snort-users] Checkpoint FW1 Alerts to acid/Snort?
> 
> 
> Hi,
> 
> This question is not 100% snort related but I hope sombody 
> maybe able to
> give some hints. We are using snort sensors for intrusion 
> detection with acid as
> analysis console. Besides that we use Checkpoints Firewall-1 as, who'd
> expect, firewalls. As we can not place a snort sensor next to 
> every firewall, the
> question now is, if there is a posibility/tool to parse the 
> dropped packets
> alerts generated by the firewalls somehow into the database 
> to enable analysis
> with acid alongside with the snort alerts. 
> Can anybody help here.
> 
> Thanks a lot
> 
> Marc
> 
> -- 
> GMX - Die Kommunikationsplattform im Internet.
> http://www.gmx.net
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list