[Snort-users] event correlation/aggregation;extrusion detection

Jochen Kaiser Jochen.Kaiser at ...704...
Mon Apr 4 04:14:03 EDT 2005


Hi,

I am trying to use snort for extrusion detection for a large
class B network. As you can imagine, I get tons (i.e. hundreds
of thousands) of events - already specialized on bleeding-edge
snort rules on malicious activity. Logging this in a database
using the well known snort/acid scheme doesn't make sense. 

Has anyone of you implemented an alternative snort database
plugin? It would be nice to hear your thoughts before I do
develop my own one based on my personal needs for extrusion
detection.

Another one: are there guidelines for handling millions
of events with snort? Any experience? 

Are there any notable 'snort event correlation/aggregation' 
papers?

greetings and regards,
jk
-- 
Dipl. Inf. Jochen Kaiser, GPG 0x3C93A870, phone +49 9131 85-28681
Network Administration  mailto:jochen.kaiser at ...704...
Regionales Rechenzentrum Universitaet Erlangen-Nuernberg, Germany




More information about the Snort-users mailing list