|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Snort-users] (no subject)
From: Peter Osterberg (Peter
sodapro.se)
Date: Wed Sep 29 2004 - 06:25:56 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
I've been using Snort for some time now with database logging. It's the
Snort version that is used in PureSecure. I'm not quite sure how they
differ, if they do. Demarc has told me that there are some differences
between standard Snort and the PS version.
Anyway the problem I have is that reporting to the db is missed if some
kind of network connection problem occurs between the sensor and the db.
Is there some well known and practised way around this problem? I've been
thinking of logging traffic to disk using tcpdump and with a decent file
split size, say 1 MB. Check if there are finished files every 5 minutes,
check if there is a working connection with the db, process dump files,
report alerts and exit. Hang around for five more minutes and repeat. I've
noticed that the reported time for detected events is the timestamp when
the alert is stored in the database and not the timestamp of the tcppacket
that triggers the event. I guess that the SQL function "now()" is used in
the query!?
Does anyone now if I can specify that "now()" shouldn't be used or some
other way the reach my goals?
It just struck my mind that tcpdump most likely doesn't store timestamps
for every packet in raw mode. Can I tell it to do so and will Snort be able
to read it in case it is possible?
Sincerly
Peter Österberg
Soda Produktion
Peter Osterberg
Zenithgatan 36
212 14 Malmo
Tfn: 040 93 07 07
Mobil: 0709 - 49 49 69
Fax: 040 - 93 14 94
Peter.se
Webb: www.sodapro.se
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]