[Snort-users] Re: Snort auotmatic email alert

Adam Ely adam at ...11953...
Thu Aug 12 08:14:01 EDT 2004


Sorry I missed this thread until this morning.


>>Yes.  MySQL/ACID does not scale.  (sure, it"s kinda neat if you
>>want to browse around in a limited data set, but MySQL limitations
>>keep you from having real historical datasets.  You"ll go to pcap files
>>eventually.)

Snortnotify was written to serve those who use mysql logging. It does not
require nor use ACID in anyway. Products can be written to take advantage
of MySQL logging that are not web based. I personally us mysql logging to
correlate events and data mine and it works rather well for me.
Snortnotify was also released to show a frame work that can be used if you
decide to store data in MySQL in another manner, say process the logs off
of the disk and store them in a more centralized scalable manner.


>> And mining through the snortdb schema inside MySQL for event text in
>>order to send email alerts is kinda like bringing a hatchet to an ice
>>cream social.

As far as mining through the snortdb schema I like you analogy but really
the work is done for you, thats why we write software.

>>instead of digging around in a browser all day trying to figure out
>>which false alarm you"re looking at this time..

I have very few false positives that I do not want to see, meaning I log
and watch alot of legitimate traffic but unexpected false positives are
very low. Another topic all together but I see alot of people complain
about false positives and then have very poor configs.

Thanks for the recommendation Patrick and feedback Erik.
Adam


-----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1

 On Fri, Aug 06, 2004 at 07:50:23PM -0500, Harper, Patrick wrote:
 > Don"t those all use syslog?

 Yes.  MySQL/ACID does not scale.  (sure, it"s kinda neat if you
 want to browse around in a limited data set, but MySQL limitations
 keep you from having real historical datasets.  You"ll go to pcap files
 eventually.)

 And mining through the snortdb schema inside MySQL for event text in
 order to send email alerts is kinda like bringing a hatchet to an ice
cream social.

 Besides, if you use SEC to do this, you can spend all your time writing
state engine
 rules so that you can use the state engine to do work for you, instead of
digging
 around in a browser all day trying to figure out which false alarm you"re
looking at
 this time..

 But if you like that sort of thing, don"t let me stop you.

 - --
 Erik Fichtner
 Principal Engineer, Information Security, ServerVault Corp.
 703-652-5900
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.7 (FreeBSD)

 iD8DBQFBFCyDQ7EzrewLMS0RAmnBAKDDhTMH0WJ4gQMyHhTE8Qpk+CASmgCeINUf
 tNltxLiabAVy6yTW1lfadsM=
 =1xsT
 -----END PGP SIGNATURE-----





More information about the Snort-users mailing list