[Snort-users] Extracting reports per IP address

Dev Anand deva.security at ...11827...
Tue Nov 14 21:51:52 EST 2006


Customising BASE can be very well done with the help of BASE
developers help who are always more than helpful at times.

So I would suggest you to post a query in their forum at sourceforge .
U will get a positive response.


On 11/15/06, Landon Stewart | Superb Internet Corp.
<landonstewart at ...11827...> wrote:
> We provide shared hosting, colocation services and server rental.  We need
> to enforce our AUP more proactively and detect malicious outgoing traffic
> before we get complaints about it.
> We are mirroring outgoing traffic for 3 quite large VLANS to a machine with
> a GigE interface.  The machine is running snort.  I have not even come close
> to figuring out which rules we want to load yet.
> What I want to do to be able to generate a report on a regular basis looking
> for all of our IP addresses that were the source of a triggered event and
> report those events to the customer responsible for that server.
> While BASE provides a good way of viewing whats in the snort database it
> does not do what I need.  I'm having a lot of trouble finding information on
> reporting because the snort database, while optimized for speed, appears to
> be quite complex.
> On regular intervals I want to:
> - Get all the source IP addresses and discard those that do not belong to us
> since the last run
> - For each IP address that has one or more event I want to list all the
> events for that IP address
> - I will then open a ticket on the responsible customer's account with this
> information alerting them to the possibility of a policy violation or
> security issue with their server.
> Seems pretty straightforward but how can I get this information in a
> readable report something like what is produced with the "Email Alert(s)
> (full)" output included in BASE?
> --
> Landon Stewart
> Superb Internet Corporation
> Toll Free: 888-354-6128 x 4199 (US/Canada)
> International: 604-638-2525 x 4199
> Web hosting and more "Ahead of the Rest": http://www.superb.net
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list