[Snort-users] view alerts in base

Dominique Karg dk at ...11936...
Wed Apr 22 03:44:00 EDT 2009


Hello,

I'd like to throw another alternative and some comments into this  
thread.

Am 22.04.2009 um 04:38 schrieb Paul Schmehl:

> --On April 21, 2009 8:45:01 PM -0500 David Kingsly
> <davidkingsly at ...3147...> wrote:
>
> The name acid is a legacy from the software that BASE is derived from.
>
> Here's my operational system:
>
> mysql> select count(*) from event;
> +----------+
> | count(*) |
> +----------+
> |     6881 |
> +----------+
> 1 row in set (0.00 sec)
>
> mysql> select count(*) from acid_event;
> +----------+
> | count(*) |
> +----------+
> |     6880 |
> +----------+
> 1 row in set (0.00 sec)
>
> As you can see the number of alerts is different.  Whether snort feeds
> mysql directly *or* barnyard parses the unified format and feeds  
> mysql,
> the result is the same - events are entered into the *snort* database.
> The BASE install adds the four acid_* tables.  Those tables are fed by
> base, not by snort or barnyard.  So, if the snort db event table has
> entries but the acid_event table does not, the problem is BASE not  
> snort,
> mysql or barnyard.

Both direct Snort DB insertion as well as Barnyard require the BASE  
caching process (which basically aggregates data from 'tcphdr, udphdr,  
icmphdr, event, sensor and signature' into 'acid_event') in order to  
consolidate the data inserted by (possibly) multiple Snort or Barnyard  
deployments.

At OSSIM we changed this behaviour and aggregate events at correlation  
engine level, receiving data from multiple agents (which in turn parse  
multiple snorts logging using unified format), aggregating it and  
filling in all the tables from a central point, removing the caching  
process and thus enabling realtime visualization of that data. Our  
requirements, both in terms of performance and data visualization made  
us maintain a patch against BASE for many years, but we recently  
decided to fork it into our codebase since it would be easier to  
maintain.

You're more than welcome to give it a shot.

Greetings,

Dominique





More information about the Snort-users mailing list