RE: ISS and Snort logs

From: Luke Leboeuf <luke(at)arcsight.com>
Date: Fri Apr 11 2003 - 18:14:10 EDT

Probably not, seeing as the event collector would not have any key for the snort sensor. However, if you could figure out some way to normalize snorts events to ISS database schema, create a DB user for the snort sensor to have write access to the SQL DB, and figure out a way for the sensor to make ODBC calls to the ISSED database to insert events, I guess, in theory, it could be possible. If you get it to work let everyone know. There are other applications that you can use to bring your snort logs and your ISS siteprotector logs into one usable, database and correlation engine (like the free Acid). They usually cost a pretty penny. Good luck!

Luke LeBoeuf
ArcSight, Inc.
(c) 571.331.5142
(e) luke@arcsight.com

http://www.arcsight.com

-----Original Message-----
From: Scott M. Algatt [mailto:salgatt@turtleshell.net] Sent: Tuesday, April 08, 2003 10:26 AM
To: focus-ids@securityfocus.com
Subject: ISS and Snort logs

I am trying to see if there is a way to have ISS's SiteProtector receive Snort logs realtime?

Regards,

Scott M. Algatt

Behold the turtle. He makes progress only when he sticks his neck out.

---

ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71

---

ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71 Received on Fri Apr 11 18:16:47 2003