[ale] RE: Snort

Christopher Fowler cfowler at outpostsentinel.com
Tue Aug 19 14:09:50 EDT 2003 

I see this pop up on my screen:

08/19-14:07:24.389362 192.168.2.8 -> 192.168.2.231
ICMP TTL:64 TOS:0x0 ID:45505 IpLen:20 DgmLen:84
Type:0  Code:0  ID:16128  Seq:0  ECHO REPLY
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


But ACID is not showing this traffic in the MySQL database.  One
of my device sent an SNMPv1 trap to me and that did show up in the database.
So far the only thing that showed up was the SNMP trap.

IS it worng to have a central database for alerts?  Would that not
increase the traffic massively if I was to log *everything*.  My goal
is to log everything on my pulbic interface.

On Tue, Aug 19, 2003 at 01:50:39PM -0400, Transam wrote:
> On Tue, Aug 19, 2003 at 01:20:30PM -0400, Christopher Fowler wrote:
> 
> > This snort program is really cool.  I've got it logging to a 
> > directory called /tmp/sno.  It seems that you can have it go
> > into a database.  Will it dump the package data into th database or
> > just the header info.  I want to make sure the database does not 
> > grwo uncontrollably.  My database is behind the firewall so I can just
> > dump there.  It may be feasible to create a wiretap.
> 
> 
> > -- Rx [ ] --- [ ] Rx --
> > -- Tx [ ] --- [ ] Tx --
> >            |
> >            | Rx
> >           [ ] 
> >           [ ] Snort.
> 
> 
> > Would this be correct cable configuration.  I assume that I'll
> > need to send Rx+ and Rx- to the IDS but do not need to worry
> > about Tx+ and Tx-
> 
> Correct.
> 
> > Chris
> 
> Bob Toxen
> bob at verysecurelinux.com               [Please use for email to me]
> http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
> http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
> Quality Linux & UNIX security and SysAdmin & software consulting since 1990.
> 
> "Microsoft: Unsafe at any clock speed!"
>    -- Bob Toxen 10/03/2002
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list