Hosting Provided By

RE: ISS and Snort logs

From: Security Conscious <mail(at)security-conscious.com>
Date: Fri Apr 18 2003 - 15:24:58 EDT

Another option would be to use Snorts SQL Server output module and sends alerts directly the ISS SQL Server. On the ISS SQL Server you would create another database (Snort DB) with the Snort schema. Snort would alert/log to the Snort DB. You could then create triggers to do a select from (Snort DB) insert into (ISS DB) for each event added to the Snort DB.

The challenge you are going to have is mapping the Snort events into the ISS meta data (e.g., classification, priority, category, etc.) and not breaking their front-end in the process. I'd also look into the licensing agreement as it pertains to this sort of customization - it could impact your licensing/support agreement.

Good luck,

Chris Petersen
Security Conscious, Inc.
www.security-conscious.com

the ISS schema

> -----Original Message-----

INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids Received on Mon Apr 21 18:53:58 2003

This message: [ Message body ]
Next message: Security News: "RE: host-based ips ?"
Previous message: John Ruff: "Re: host-based ips ?"
In reply to: Scott M. Algatt: "RE: ISS and Snort logs"
In reply to Luke Leboeuf: "RE: ISS and Snort logs"
Next in thread: Brian: "Re: ISS and Snort logs"
Reply: Brian: "Re: ISS and Snort logs"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:11 EDT

Do you need help?