[Snort-users] Extracting reports per IP address
deva.security at ...11827...
Tue Nov 14 21:51:52 EST 2006
Customising BASE can be very well done with the help of BASE
developers help who are always more than helpful at times.
So I would suggest you to post a query in their forum at sourceforge .
U will get a positive response.
On 11/15/06, Landon Stewart | Superb Internet Corp.
<landonstewart at ...11827...> wrote:
> We provide shared hosting, colocation services and server rental. We need
> to enforce our AUP more proactively and detect malicious outgoing traffic
> before we get complaints about it.
> We are mirroring outgoing traffic for 3 quite large VLANS to a machine with
> a GigE interface. The machine is running snort. I have not even come close
> to figuring out which rules we want to load yet.
> What I want to do to be able to generate a report on a regular basis looking
> for all of our IP addresses that were the source of a triggered event and
> report those events to the customer responsible for that server.
> While BASE provides a good way of viewing whats in the snort database it
> does not do what I need. I'm having a lot of trouble finding information on
> reporting because the snort database, while optimized for speed, appears to
> be quite complex.
> On regular intervals I want to:
> - Get all the source IP addresses and discard those that do not belong to us
> since the last run
> - For each IP address that has one or more event I want to list all the
> events for that IP address
> - I will then open a ticket on the responsible customer's account with this
> information alerting them to the possibility of a policy violation or
> security issue with their server.
> Seems pretty straightforward but how can I get this information in a
> readable report something like what is produced with the "Email Alert(s)
> (full)" output included in BASE?
> Landon Stewart
> Superb Internet Corporation
> Toll Free: 888-354-6128 x 4199 (US/Canada)
> International: 604-638-2525 x 4199
> CELEBRATING 10 YEARS OF HOSTING EXCELLENCE! 1996 - 2006
> Web hosting and more "Ahead of the Rest": http://www.superb.net
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users