[ale] RE: Snort

Chris Ricker kaboom at gatech.edu
Tue Aug 19 14:34:02 EDT 2003


On Tue, 19 Aug 2003, Christopher Fowler wrote:

> I see this pop up on my screen:
> 
> 08/19-14:07:24.389362 192.168.2.8 -> 192.168.2.231
> ICMP TTL:64 TOS:0x0 ID:45505 IpLen:20 DgmLen:84
> Type:0  Code:0  ID:16128  Seq:0  ECHO REPLY
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 
> But ACID is not showing this traffic in the MySQL database.  One
> of my device sent an SNMPv1 trap to me and that did show up in the database.
> So far the only thing that showed up was the SNMP trap.

You don't have snort configured with the right output plugin, or else you 
don't have the snort tables created correctly. Start by checking the output 
mysql line in snort.conf.

> IS it worng to have a central database for alerts?  Would that not
> increase the traffic massively if I was to log *everything*.  My goal
> is to log everything on my pulbic interface.

If you want to analyze it, you've got to log it somewhere....

later,
chris
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list