RE: ISS and Snort logs

["Scott M. Algatt" <salgatt () turtleshell net>]

I never thought of that.  Thanks Luke!  This gives me somewhere to go with
it.  I might be able to use a combination of Snort's unified output to be
able to do this.  If I can get the schema, which shouldn't be too hard.  I
should be able to send the unified data through a little PERL magic and
ship it into SiteProtector.

I am also looking at doing the same thing with our ACID console.  We
currently have ACID and it might help be a better scenario to go from the
ACID console to the SiteProtector console rather than individual IDS's.


Regards,

Scott M. Algatt

Behold the turtle. He makes progress only when he sticks his neck out.

On Fri, 11 Apr 2003, Luke Leboeuf wrote:

> Probably not, seeing as the event collector would not have any key for the
> snort sensor. However, if you could figure out some way to normalize snorts
> events to ISS database schema, create a DB user for the snort sensor to have
> write access to the SQL DB, and figure out a way for the sensor to make ODBC
> calls to the ISSED database to insert events, I guess, in theory, it could
> be possible. If you get it to work let everyone know. There are other
> applications that you can use to bring your snort logs and your ISS
> siteprotector logs into one usable, database and correlation engine (like
> the free Acid). They usually cost a pretty penny. Good luck!
>
> Luke LeBoeuf
> ArcSight, Inc.
> (c) 571.331.5142
> (e) luke () arcsight com
> http://www.arcsight.com
>
>
>
> -----Original Message-----
> From: Scott M. Algatt [mailto:salgatt () turtleshell net]
> Sent: Tuesday, April 08, 2003 10:26 AM
> To: focus-ids () securityfocus com
> Subject: ISS and Snort logs
>
> I am trying to see if there is a way to have ISS's SiteProtector receive
> Snort logs realtime?
>
>
> Regards,
>
> Scott M. Algatt
>
> Behold the turtle. He makes progress only when he sticks his neck out.
>
>
> -----------------------------------------------------------
> ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
> Learn why 70% of today's successful hacks involve Web Application
> attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter
> Manipulation.
> http://www.spidynamics.com/mktg/webappsecurity71


------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?
 
IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - 
including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. 
 
Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids