Re: ISS and Snort logs

On Fri, Apr 18, 2003 at 03:24:58PM -0400, Security Conscious wrote:
> Another option would be to use Snorts SQL Server output module and sends

A cheaper/uglier option is to have snort log via syslog and use ISS's HIDS component and add signatures in the HIDS for each snort rule you enable. Since you wouldn't be mucking with the underpinnings of ISS's database, you will not get into support/licensing issues. You know the type:

   "Oh, you did what to the database? OK, first thing. Reinstall."

You are running an IDS on NT, so you should be used to this already. ;P

Anyway, using the syslog method would This would be easier to setup initially but would require more maintenance as when new rules are added to snort, you will need to add rules to your HIDS. But at least you won't have to pay your DBA more than you already do.

That, or you could look at getting an ESM type product that actually handles all of this foo for you. There are dozens of products that attempt to accomplish your specific problem.

-brian

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids Received on Sat Apr 26 13:40:44 2003