[Snort-users] Re: Snort-users digest, Vol 1 #3813 - 6 msgs

Arif OZGUR arif at ...10730...
Wed Dec 10 23:37:04 EST 2003


----- Original Message -----
From: <snort-users-request at lists.sourceforge.net>
To: <snort-users at lists.sourceforge.net>
Sent: Thursday, December 11, 2003 6:05 AM
Subject: Snort-users digest, Vol 1 #3813 - 6 msgs


> Send Snort-users mailing list submissions to
> snort-users at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
> snort-users-request at lists.sourceforge.net
>
> You can reach the person managing the list at
> snort-users-admin at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> Today's Topics:
>
>    1. Snort, Mysql purging (Jack Snedecor)
>    2. Database output (Erwin Van de Velde)
>    3. Visual Basic excel graph (Mario Guerendo)
>    4. Re: Snort, Mysql purging (Josh Berry)
>    5. Re: Snort, Mysql purging (Frank Knobbe)
>    6. src/snortman.tex (Ted Rolle)
>
> --__--__--
>
> Message: 1
> From: Jack Snedecor <jsnedecor at ...10724...>
> To: snort-users at lists.sourceforge.net
> Date: Wed, 10 Dec 2003 18:11:18 -0500
> Subject: [Snort-users] Snort, Mysql purging
>
> New user....
>
>
>
> I have installed snort, mysql and acid per the published instructions.
> Works great.
>
> I am by no means an expert at any of these though.
>
> What I have not found is a method to purge the database on a regular
> schedule.
>
> I had a minor welchia virus this week that drove the database size way up.
> Now
>
>  acid is taking mins. to build pages.  Can someone point me in the right
> direction?
>
>
>
> Jack Snedecor
>
> GiS
>
> VP, Network Operations Group
>
> -----Original Message-----
> From: Sp0oKeR Labs [mailto:spooker at ...10483...]
> Sent: Wednesday, December 10, 2003 6:47 PM
> To: Grammer, Christopher S; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Remote NIDS
>
>
>
> At your snort.conf, in all sensors use:
>
>
>
> output database: log, mysql, user=user_snort password=pass_snort
> dbname=db_snort host=ip_server_mysql_acid
>
>
>
> You can create the snort database with create_mysql at contrib/ directory
.
>
> Best Regards,
>
>
>
> Sp0oKeR
>
> ----- Original Message -----
>
> From: Grammer, <mailto:christopher.grammer at ...7950...>  Christopher S
>
> To: snort-users at lists.sourceforge.net
> <mailto:snort-users at lists.sourceforge.net>
>
> Sent: Wednesday, December 10, 2003 7:03 PM
>
> Subject: [Snort-users] Remote NIDS
>
>
>
> I am looking for a method to have remote NIDS log alerts to a central
> SNORT/Acid box running MySQL and Redhat 9.0.
>
> Anyone have a link for docs on this or recommendations?
>
>
>
> Chris
>
>
>
> --__--__--
>
> Message: 2
> From: Erwin Van de Velde <erwin.vandevelde at ...10361...>
> To: snort-users at lists.sourceforge.net
> Date: Thu, 11 Dec 2003 00:14:37 +0100
> Subject: [Snort-users] Database output
>
> Hi,
>
> I'm using a postgresql database to store the output of my snort sensors,
but
> what happens if the database is temporarily unavailable (for instance,
> connecting fails due to a heavy load on network / database)? Does snort
keep
> the queries for sending when database connectivity is restored? Or are
these
> queries dropped?
> In my opinion, storing these queries temporarily is the safest solution,
as we
> must certainly log data when a severe attack on our network takes place...
> And then chances are bigger that we can't connect to the database
> immediately.
> And does snort open a database connection for every query it sends? Or is
> there some sort of persistent connection (for example one that times out
> after 1 minute of inactivity, closing the connection then)...
> I'd like to use SSL connections to the database, using stunnel, but
opening a
> connection for every query would have severe consequences for network and
> server.
>
> Thanks in advance,
>
> Erwin Van de Velde
> Student of Antwerp University
> Belgium
>
>
>
> --__--__--
>
> Message: 3
> From: "Mario Guerendo" <m.guerendo at ...5068...>
> To: <snort-users at lists.sourceforge.net>
> Date: Wed, 10 Dec 2003 18:31:16 -0500
> Subject: [Snort-users] Visual Basic excel graph
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_001E_01C3BF4B.CCA4A320
> Content-Type: text/plain;
> charset="us-ascii"
> Content-Transfer-Encoding: 7bit
>
> Hello everyone,
>
>
>
> I have a little project, I am trying to have a script/program that would
> data on attacks, Denial of Service attacks to be precise.  I would like to
> dump the data in an excel spreadsheet and create pie chart /bar graph.
> Anyone wiling to help?  I am willing to pay a few bucks for this.
>
>
>
> Thx for the help.
>
>
>
>
>
>
> ------=_NextPart_000_001E_01C3BF4B.CCA4A320
> Content-Type: text/html;
> charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> <html>
>
> <head>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3Dus-ascii">
> <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered)">
> <style>
> <!--
>  /* Style Definitions */
>  p.MsoNormal, li.MsoNormal, div.MsoNormal
> {margin:0in;
> margin-bottom:.0001pt;
> font-size:12.0pt;
> font-family:"Times New Roman";}
> a:link, span.MsoHyperlink
> {color:blue;
> text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
> {color:purple;
> text-decoration:underline;}
> span.EmailStyle17
> {font-family:Arial;
> color:windowtext;}
> @page Section1
> {size:8.5in 11.0in;
> margin:1.0in 1.25in 1.0in 1.25in;}
> div.Section1
> {page:Section1;}
> -->
> </style>
>
> </head>
>
> <body lang=3DEN-US link=3Dblue vlink=3Dpurple>
>
> <div class=3DSection1>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>Hello everyone,</span></font></p>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'> </span></font></p>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>I have a little project, I am trying to have a
> script/program that would data on attacks, Denial of Service attacks to =
> be
> precise.  I would like to dump the data in an excel spreadsheet and =
> create pie
> chart /bar graph.  Anyone wiling to help?  I am willing to pay =
> a few bucks for
> this.</span></font></p>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'> </span></font></p>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>Thx for the help.</span></font></p>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'> </span></font></p>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'> </span></font></p>
>
> </div>
>
> </body>
>
> </html>
>
> ------=_NextPart_000_001E_01C3BF4B.CCA4A320--
>
>
>
> --__--__--
>
> Message: 4
> Date: Wed, 10 Dec 2003 17:36:39 -0600 (CST)
> Subject: Re: [Snort-users] Snort, Mysql purging
> From: "Josh Berry" <josh.berry at ...10221...>
> To: "Jack Snedecor" <jsnedecor at ...10724...>
> Cc: snort-users at lists.sourceforge.net
>
> I HIGHLY suggest NOT deleting the information.  I suggest having a
> secondary archive db that you move stuff like Welchia too when you think
> you don't need it anymore.  That way you can keep the data and free up
> resources on your primary DB.  Then if you really need to delete the data
> you can on the archive.
>
> Acid provides a drop-down bar to allow you to delete any query you run but
> if you really want to purge the DB then use a truncate table [table_name]
> command in MySQL.
>
> > New user....
> >
> >
> >
> > I have installed snort, mysql and acid per the published instructions.
> > Works great.
> >
> > I am by no means an expert at any of these though.
> >
> > What I have not found is a method to purge the database on a regular
> > schedule.
> >
> > I had a minor welchia virus this week that drove the database size way
up.
> > Now
> >
> >  acid is taking mins. to build pages.  Can someone point me in the right
> > direction?
> >
> >
> >
> > Jack Snedecor
> >
> > GiS
> >
> > VP, Network Operations Group
> >
> > -----Original Message-----
> > From: Sp0oKeR Labs [mailto:spooker at ...10483...]
> > Sent: Wednesday, December 10, 2003 6:47 PM
> > To: Grammer, Christopher S; snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] Remote NIDS
> >
> >
> >
> > At your snort.conf, in all sensors use:
> >
> >
> >
> > output database: log, mysql, user=user_snort password=pass_snort
> > dbname=db_snort host=ip_server_mysql_acid
> >
> >
> >
> > You can create the snort database with create_mysql at contrib/
directory
> > .
> >
> > Best Regards,
> >
> >
> >
> > Sp0oKeR
> >
> > ----- Original Message -----
> >
> > From: Grammer, <mailto:christopher.grammer at ...7950...>  Christopher S
> >
> > To: snort-users at lists.sourceforge.net
> > <mailto:snort-users at lists.sourceforge.net>
> >
> > Sent: Wednesday, December 10, 2003 7:03 PM
> >
> > Subject: [Snort-users] Remote NIDS
> >
> >
> >
> > I am looking for a method to have remote NIDS log alerts to a central
> > SNORT/Acid box running MySQL and Redhat 9.0.
> >
> > Anyone have a link for docs on this or recommendations?
> >
> >
> >
> > Chris
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: IBM Linux Tutorials.
> > Become an expert in LINUX or just sharpen your skills.  Sign up for
IBM's
> > Free Linux Tutorials.  Learn everything from the bash shell to sys
admin.
> > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
> Thanks,
> Josh Berry, CTO
> LinkNet-Solutions
> 469-831-8543
> josh.berry at ...10268...
>
>
>
> --__--__--
>
> Message: 5
> Subject: Re: [Snort-users] Snort, Mysql purging
> From: Frank Knobbe <frank at ...9761...>
> To: snort-users at lists.sourceforge.net
> Cc: Jack Snedecor <jsnedecor at ...10724...>, Josh Berry
<josh.berry at ...10221...>
> Date: Wed, 10 Dec 2003 17:56:46 -0600
>
>
> --=-USkW5a2E2A0LE8fQKEnH
> Content-Type: text/plain
> Content-Transfer-Encoding: quoted-printable
>
> On Wed, 2003-12-10 at 17:36, Josh Berry wrote:
> > I HIGHLY suggest NOT deleting the information.  I suggest having a
> > secondary archive db that you move stuff like Welchia too when you think
> > you don't need it anymore.=20
>
> I guess that all depends on your or your company's policy. You can dump
> certain data. I routinely dump the contents of the DATA table for
> certain signatures after a period of time. I don't see a reason to keep
> the same exact content for, say, the SQL-Slammer in the DB. Other
> content (IPHDR and friends) is archived. But certain ballast is dumped.
>
> You need to consider the usefulness of the data. Will you ever go back
> to data from IPHDR for an event that occurred a year ago?
>
> Perhaps this thread can evolve into a DB/data retention policy thread.
> To yell categorically "yes" or "no' is wrong. The correct answer is
> "depends" :)
>
> Cheers,
> Frank
>
>
> --=-USkW5a2E2A0LE8fQKEnH
> Content-Type: application/pgp-signature; name=signature.asc
> Content-Description: This is a digitally signed message part
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (FreeBSD)
>
> iD8DBQA/17K9po+MRgtrF98RAntEAKDiUMtIhr7y5KU2NbuCU2Y1no/KvgCeKSwG
> 6jqbxVkgRIBXTJ5YhlorjCE=
> =Oh/X
> -----END PGP SIGNATURE-----
>
> --=-USkW5a2E2A0LE8fQKEnH--
>
>
>
> --__--__--
>
> Message: 6
> Date: Wed, 10 Dec 2003 21:16:53 -0600 (CST)
> From: Ted Rolle <ted at ...10726...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] src/snortman.tex
>
> Where is src/snortman.tex?  It's mentioned in the Snort docs, but I've not
> found it.  Even after a Google search.  Also is there an HTML version of
> the docs with hyperlinking?
>
> Thanks
>
>
>
> --__--__--
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest





More information about the Snort-users mailing list