RE: Can you simply merge separate Snort SQL databases?

["David E. Wach" <david () ignw com>]

One problem you'll have is that Snort dynamically adds entries into
several tables as it sees events (reference, reference_system,
sig_class, sig_reference, and signature).  If you pull data into a
central database you're events will reference bogus data.  What I ended
up doing is pre-filling the central database with all possible
signatures ahead of time, then adding those records to all remote
databases.  Also note that you'll have to do this anytime you update
your Snort rules.  It's all pretty simple, I can send on scripts if
anybody is interested.

-david
--
===============================================
David E. Wach
Senior Managed Security Architect
david () ignw com
InfoGroup Northwest 541.485.0957 x168
=============================================== 


-----Original Message-----
From: Jason Haar [mailto:Jason.Haar () trimble co nz] 
Sent: Tuesday, April 30, 2002 9:41 PM
To: Snort List (E-mail)
Subject: [Snort-users] Can you simply merge separate Snort SQL
databases?


Says it all. For performance/availability reasons we want our Snort
IDSes to be independantly installed within our world-wide network,
however as the overseer I'd like to merge all that data back into one
spot to do "global reports" once per month.

The sensor table from each DB will obviously clash, but if I remap
those, would there be any other conflicts?

[better get a bigger box...]

-- 
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417