[Snort-users] Anyone integrated HIDS-style alerts into Snort DB?

Jason Haar Jason.Haar at ...294...
Sun Apr 6 21:16:06 EDT 2003


I'm wondering the worth of integrating host-based alerts into the Snort SQL
DB infrastructure...

I'm the author of logsnorter - a tool I wrote several years ago to parse
syslog entries to push Cisco/Linux firewall logs into the Snort SQL DB. I
dropped it after only a few months as I came to the conclusion that the last
thing your IDS DB needed was another 500% more alerts/day... I'm now firmly
in the camp that says "if it didn't get past my perimeter packet filter -
I'm not interested in it".

Anyway, I'm still warm on the idea of injecting intrusion information
gleaned from other sources into Snort - treating it more as the "company
IDS" than the "Internet IDS" if you catch my drift.

Has anyone else done anything like that, and more importantly, would it be
worth doing? I'm thinking of resurrecting logsnorter and allowing to to
inject other syslog records into Snort, such as:

Class: misc-activity

 * Qmail-Scanner virus alerts
 * SpamAssassin hits
 * rblsmtpd
 * tftp filenames
 
Class: attempted-recon

 * failed tcpwrapper connections

Class: attempted-user/attempted-admin

 * failed logins (PAM/NT domain/other?)
 * unsuccessful logins

Class: successful-user/successful-admin

 * failed logins (PAM/NT domain/other?)
 * successful logins



Sound stupid? Not worth the effort?

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-users mailing list