Snort mailing list archives
RE: Snortsam log to database and correlation with snortdb
From: "Che Wan Zaharudin" <azhar () essasia net>
Date: Thu, 22 Apr 2004 14:52:40 +0800
Hi, Can you give a script example to process the snortsam logs? You did mention about displaying Firewa'd icon. Is it on ACID? How do you that? Thanks. -----Original Message----- From: Sean Wheeler [mailto:s.wheeler () netprotect ch] Sent: Thursday, April 22, 2004 1:57 AM To: Chan Kien Eng; snort-users () lists sourceforge net Subject: AW: [Snort-users] Snortsam log to database and correlation with snortdb Hi, What I did in this case is have a script which processes the snortsam logs and pops the relevant entries in the DB. The frontend when querying the events table additionaly does a peek in the snortsam log table. If a corrolation is found it displays a FireW'd icon. Below is a example table schema CREATE TABLE `fw_log` ( `id` int(10) unsigned NOT NULL auto_increment, `date` date NOT NULL default '0000-00-00', `time` time NOT NULL default '00:00:00', `code` int(10) unsigned NOT NULL default '0', `facility` varchar(20) NOT NULL default '', `ipaddress` varchar(15) NOT NULL default '', `w_b` tinyint(1) unsigned NOT NULL default '0', `msg` varchar(255) NOT NULL default '', PRIMARY KEY (`id`), UNIQUE KEY `d_t_m` (`date`,`time`,`msg`) ) TYPE=MyISAM AUTO_INCREMENT=1 ; regards Sean -----Ursprungliche Nachricht----- Von: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]Im Auftrag von Chan Kien Eng Gesendet: Mittwoch, 21. April 2004 12:25 An: snort-users () lists sourceforge net Betreff: [Snort-users] Snortsam log to database and correlation with snortdb Hi all, Did anyone has done this before: logging the snortsam logs to a database and do some sort of co-relation between it? The idea is to answer the question: How do I know that when the signatures is triggered, snortsam is actually doing the firewall blocking? Of course we can do it manually by comparing the snortsam logs and the snort logs from ACID etc, but this is too manual and its time consuming. I'll trying to look something that can make life easier :) Any ideas? Thanks. *****Confidentiality Notice***************** This message contains confidential information and is intended only for the individual named.If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. ******************************************** ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snortsam log to database and correlation with snortdb Chan Kien Eng (Apr 21)
- Re: Snortsam log to database and correlation with snortdb Frank Knobbe (Apr 21)
- <Possible follow-ups>
- RE: Snortsam log to database and correlation with snortdb Che Wan Zaharudin (Apr 22)