Hosting Provided By

Re: network audit

From: Bear Giles <bgiles(at)coyotesong.com>
Date: Wed Mar 26 2003 - 15:50:34 EST

Eckhardt, Rodolpho H. O. wrote:
> I would say Snort <www.snort.org> is a good choice!

It can also log into PostgreSQL and other databases.

I mention this since MySQL is rather weak on the advanced database features. You can probably define the joins yourself in your scripts (although some of mine do include some subselect clauses), but that's error prone and hard to maintain. With PostgreSQL and others, you can set up some views and have

PostgreSQL supports triggers, views, insertion rules, subselects, etc.. This makes the database much easier to work with since my views fold in the human-readable content, or compute some useful item.

Below are several sample views... I wish I had documented better what they're supposed to do. :-) I'm pretty sure 'snort1' creates a view that provides the event signature and frequency count. Snort2 is a view that can best be described as "ipevents," and snort3 is folds in a description of that event.

Bear

create view snort1 as

	select * from
		(select sig_id,count(*) from event join signature
			on event.signature=signature.sig_id group by sig_id) as f
		natural join signature -- adds rest of data
		natural join sig_class -- adds sig_class_name
	;

create view snort1b as
	select * from sig_reference
		natural join reference
		natural join reference_system
	;

create view snort2 as
	select * from event natural join iphdr;

create view snort3 as
	select * from
		event join signature
			on event.signature=signature.sig_id
		natural join sig_class -- adds sig_class_name
		natural join snort2
	;


-------------------------------------------------------------------

SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.surfcontrol.com/go/zsfsbl1 Received on Thu Mar 27 10:05:49 2003

Do you need help?

This message: [ Message body ]
Next message: James Taylor: "Re: Security Approval Process"
Previous message: Burton M. Strauss III: "RE: Strange Packet logs in ipchains"
In reply to Eckhardt, Rodolpho H. O.: "Re: network audit"
Next in thread: Burton M. Strauss III: "RE: network audit"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:03:59 EDT