[Snort-users] Snortsam log to database and correlation with snortdb

Che Wan Zaharudin azhar at ...11599...
Wed Apr 21 23:59:00 EDT 2004


Hi,

Can you give a script example to process the snortsam logs? You did
mention about displaying Firewa'd icon. Is it on ACID? How do you that?

Thanks.

-----Original Message-----
From: Sean Wheeler [mailto:s.wheeler at ...2876...] 
Sent: Thursday, April 22, 2004 1:57 AM
To: Chan Kien Eng; snort-users at lists.sourceforge.net
Subject: AW: [Snort-users] Snortsam log to database and correlation with
snortdb


Hi,

What I did in this case is have a script which processes the snortsam
logs
and pops the relevant entries in the DB.

The frontend when querying the events table additionaly does a peek in
the
snortsam log table.
If a corrolation is found it displays a FireW'd icon.

Below is a example table schema

CREATE TABLE `fw_log` (
  `id` int(10) unsigned NOT NULL auto_increment,
  `date` date NOT NULL default '0000-00-00',
  `time` time NOT NULL default '00:00:00',
  `code` int(10) unsigned NOT NULL default '0',
  `facility` varchar(20) NOT NULL default '',
  `ipaddress` varchar(15) NOT NULL default '',
  `w_b` tinyint(1) unsigned NOT NULL default '0',
  `msg` varchar(255) NOT NULL default '',
  PRIMARY KEY  (`id`),
  UNIQUE KEY `d_t_m` (`date`,`time`,`msg`)
) TYPE=MyISAM AUTO_INCREMENT=1 ;


regards

Sean

-----Ursprungliche Nachricht-----
Von: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]Im Auftrag von Chan Kien
Eng
Gesendet: Mittwoch, 21. April 2004 12:25
An: snort-users at lists.sourceforge.net
Betreff: [Snort-users] Snortsam log to database and correlation with
snortdb


Hi all,

Did anyone has done this before: logging the snortsam logs to a database
and do some sort of co-relation between it?

The idea is to answer the question: How do I know that when the
signatures is triggered, snortsam is actually doing the firewall
blocking? Of course we can do it manually by comparing the snortsam logs
and the snort logs from ACID etc, but this is too manual and its time
consuming. I'll trying to look something that can make life easier :)

Any ideas?

Thanks.



*****Confidentiality Notice*****************
This message contains confidential
information and is intended only for the
individual named.If you are not the named
addressee you should not disseminate,
distribute or copy this e-mail.  Please
notify the sender immediately by e-mail if
you have received this e-mail by mistake and
delete this e-mail from your system.
********************************************




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list