IDS mailing list archives
Re: ISS and Snort logs
From: <schwing () tenablesecurity com>
Date: 8 May 2003 14:33:50 -0000
In-Reply-To: <000001c30cc6$3bad0ac0$0c0a0a0a () SecurityConscious com> You should add Tenable's Lightning Console to the list. It correlates Snort and ISS without the use of a SQL database. The console integrates vulnerability correlation at the same time. It also provides a workflow process for the remediation of vulnerabilities. Stephen Schwing Tenable Network Security www.tenablesecurity.com
From: "Chris Petersen" <chris () security-conscious com> To: "'Brian'" <bmc () snort org>, <focus-ids () securityfocus com> Subject: RE: ISS and Snort logs Date: Sun, 27 Apr 2003 10:06:42 -0400 Message-ID: <000001c30cc6$3bad0ac0$0c0a0a0a () SecurityConscious com> Brian's suggestion is probably a more feasible approach than what I suggested. Integrating through their HIDS should take care of meta-data mappings and shouldn't introduce support issues. My approach has some advantages but will require considerable reverse engineering. I agree with Brian in that you may want to consider an ESM type product. We are developing a product that would provide what you are after but it's not available yet. Current products on the market include: - Arcsight - NetForensics - Intellitactics - eSecurity - NetworkIntelligence/OpenSystems - NetIQ - GuardedNet Good luck Chris Petersen Security Conscious, Inc. www.security-conscious.com-----Original Message----- From: Brian [mailto:bmc () snort org] Sent: Friday, April 25, 2003 9:20 AM To: focus-ids () securityfocus com Subject: Re: ISS and Snort logs On Fri, Apr 18, 2003 at 03:24:58PM -0400, Security Conscious wrote:Another option would be to use Snorts SQL Server output module and sends alerts directly the ISS SQL Server. On the ISS SQLServer youwould create another database (Snort DB) with the Snortschema. Snortwould alert/log to the Snort DB. You could then createtriggers to doa select from (Snort DB) insert into (ISS DB) for eachevent added tothe Snort DB.A cheaper/uglier option is to have snort log via syslog and use ISS's HIDS component and add signatures in the HIDS for each snort rule you enable. Since you wouldn't be mucking with the underpinnings of ISS's database, you will not get into support/licensing issues. You know the type: "Oh, you did what to the database? OK, first thing. Reinstall." You are running an IDS on NT, so you should be used to this already. ;P Anyway, using the syslog method would This would be easier to setup initially but would require more maintenance as when new rules are added to snort, you will need to add rules to your HIDS. But at least you won't have to pay your DBA more than you already do. That, or you could look at getting an ESM type product that actually handles all of this foo for you. There are dozens of products that attempt to accomplish your specific problem. -brian
------------------------------------------------------------------------------- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 -------------------------------------------------------------------------------
Current thread:
- Re: ISS and Snort logs schwing (May 08)