OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David E. Wach (davidignw.com)
Date: Thu May 02 2002 - 10:51:39 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I would tend to agree, but in our case we need to do dynamic on-demand
    reporting from all those sensors out in the wild, so I think that going
    through the hassle of having a central database makes sense for us. A
    whole lot of this stuff can be automated with some creative scripting,
    though there might be some event horizon where there's just too many to
    manage effectively *shrug*. I would say that unless you need some sort
    of reporting (and not just alerting with the data archived into the
    database) to just skip it.

    Happy snorting!
    -d 

    --
===============================================
David E. Wach
Senior Managed Security Architect
davidignw.com
InfoGroup Northwest 541.485.0957 x168
=============================================== 

    -----Original Message-----
From: Jason Haar [mailto:Jason.Haartrimble.co.nz] 
Sent: Wednesday, May 01, 2002 8:54 PM
To: Snort List (E-mail)
Subject: Re: [Snort-users] Can you simply merge separate Snort SQL
databases?

    On Wed, May 01, 2002 at 09:20:15AM -0700, David E. Wach wrote:
> One problem you'll have is that Snort dynamically adds entries into 
> several tables as it sees events (reference, reference_system, 
> sig_class, sig_reference, and signature).  If you pull data into a 
> central database you're events will reference bogus data.

    Gah! That sounds nasty. I wonder, could you fake it? i.e. pull over the
unique data, and then regenerate all the reference table data? 

    It seems to me that this sort of central DB is the one thing you can
slash-and-burn on demand - all the "live" DB servers should be left
alone if possible...

    -- 
Cheers

    Jason Haar

    Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417

    _______________________________________________________________

    Have big pipes? SourceForge.net is looking for download mirrors. We
supply the hardware. You get the recognition. Email Us:
bandwidthsourceforge.net
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

    _______________________________________________________________

    Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidthsourceforge.net
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users