[Snort-users] Snortsam log to database and correlation with snortdb

Frank Knobbe frank at ...9761...
Wed Apr 21 07:57:12 EDT 2004


On Wed, 2004-04-21 at 05:24, Chan Kien Eng wrote:
> Did anyone has done this before: logging the snortsam logs to a database
> and do some sort of co-relation between it? 

Never thought of it since it is the Snort alert that causes Snortsam to
block. What do you need to correlate?

> The idea is to answer the question: How do I know that when the
> signatures is triggered, snortsam is actually doing the firewall
> blocking? Of course we can do it manually by comparing the snortsam logs
> and the snort logs from ACID etc, but this is too manual and its time
> consuming. I'll trying to look something that can make life easier :)

Email plugin perhaps?

I'll be adding a syslog plugin to Snortsam sometime this summer. Perhaps
that can be used. (You could even force that into a database with
syslog-ng or similar).

I'm not sure that Snortsam really needs a SQL plugin. Seems too
redundant.

Regards,
Frank

-- 
Warning at the Gates of Bill:  
Abandon hope, all ye who press <ENTER> here...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040421/717487f0/attachment.sig>


More information about the Snort-users mailing list