[Snort-users] Snortsam log to database and correlation with snortdb
frank at ...9761...
Wed Apr 21 07:57:12 EDT 2004
On Wed, 2004-04-21 at 05:24, Chan Kien Eng wrote:
> Did anyone has done this before: logging the snortsam logs to a database
> and do some sort of co-relation between it?
Never thought of it since it is the Snort alert that causes Snortsam to
block. What do you need to correlate?
> The idea is to answer the question: How do I know that when the
> signatures is triggered, snortsam is actually doing the firewall
> blocking? Of course we can do it manually by comparing the snortsam logs
> and the snort logs from ACID etc, but this is too manual and its time
> consuming. I'll trying to look something that can make life easier :)
Email plugin perhaps?
I'll be adding a syslog plugin to Snortsam sometime this summer. Perhaps
that can be used. (You could even force that into a database with
syslog-ng or similar).
I'm not sure that Snortsam really needs a SQL plugin. Seems too
Warning at the Gates of Bill:
Abandon hope, all ye who press <ENTER> here...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-users