Snort mailing list archives
Anyone integrated HIDS-style alerts into Snort DB?
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Mon, 7 Apr 2003 16:15:34 +1200
I'm wondering the worth of integrating host-based alerts into the Snort SQL DB infrastructure... I'm the author of logsnorter - a tool I wrote several years ago to parse syslog entries to push Cisco/Linux firewall logs into the Snort SQL DB. I dropped it after only a few months as I came to the conclusion that the last thing your IDS DB needed was another 500% more alerts/day... I'm now firmly in the camp that says "if it didn't get past my perimeter packet filter - I'm not interested in it". Anyway, I'm still warm on the idea of injecting intrusion information gleaned from other sources into Snort - treating it more as the "company IDS" than the "Internet IDS" if you catch my drift. Has anyone else done anything like that, and more importantly, would it be worth doing? I'm thinking of resurrecting logsnorter and allowing to to inject other syslog records into Snort, such as: Class: misc-activity * Qmail-Scanner virus alerts * SpamAssassin hits * rblsmtpd * tftp filenames Class: attempted-recon * failed tcpwrapper connections Class: attempted-user/attempted-admin * failed logins (PAM/NT domain/other?) * unsuccessful logins Class: successful-user/successful-admin * failed logins (PAM/NT domain/other?) * successful logins Sound stupid? Not worth the effort? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Anyone integrated HIDS-style alerts into Snort DB? Jason Haar (Apr 06)
- What have I screwed up on this SQL call? Jason Haar (Apr 10)