[Snort-users] Re: Snort-users digest, Vol 1 #3813 - 6 msgs
This is a discussion on [Snort-users] Re: Snort-users digest, Vol 1 #3813 - 6 msgs within the Snort forums, part of the System Security and Security Related category; ----- Original Message ----- From: <snort-users-request@lists.sourceforge.net> To: <snort-users@lists.sourceforge.net> Sent: ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-11-2003
|
|||
|
|||
[Snort-users] Re: Snort-users digest, Vol 1 #3813 - 6 msgs
----- Original Message ----- From: <snort-users-request@lists.sourceforge.net> To: <snort-users@lists.sourceforge.net> Sent: Thursday, December 11, 2003 6:05 AM Subject: Snort-users digest, Vol 1 #3813 - 6 msgs > Send Snort-users mailing list submissions to > snort-users@lists.sourceforge.net > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/...fo/snort-users > or, via email, send a message with subject or body 'help' to > snort-users-request@lists.sourceforge.net > > You can reach the person managing the list at > snort-users-admin@lists.sourceforge.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Snort-users digest..." > > > Today's Topics: > > 1. Snort, Mysql purging (Jack Snedecor) > 2. Database output (Erwin Van de Velde) > 3. Visual Basic excel graph (Mario Guerendo) > 4. Re: Snort, Mysql purging (Josh Berry) > 5. Re: Snort, Mysql purging (Frank Knobbe) > 6. src/snortman.tex (Ted Rolle) > > --__--__-- > > Message: 1 > From: Jack Snedecor <jsnedecor@geninfo.com> > To: snort-users@lists.sourceforge.net > Date: Wed, 10 Dec 2003 18:11:18 -0500 > Subject: [Snort-users] Snort, Mysql purging > > New user.... > > > > I have installed snort, mysql and acid per the published instructions. > Works great. > > I am by no means an expert at any of these though. > > What I have not found is a method to purge the database on a regular > schedule. > > I had a minor welchia virus this week that drove the database size way up. > Now > > acid is taking mins. to build pages. Can someone point me in the right > direction? > > > > Jack Snedecor > > GiS > > VP, Network Operations Group > > -----Original Message----- > From: Sp0oKeR Labs [mailto:spooker@spooker.com.br] > Sent: Wednesday, December 10, 2003 6:47 PM > To: Grammer, Christopher S; snort-users@lists.sourceforge.net > Subject: Re: [Snort-users] Remote NIDS > > > > At your snort.conf, in all sensors use: > > > > output database: log, mysql, user=user_snort password=pass_snort > dbname=db_snort host=ip_server_mysql_acid > > > > You can create the snort database with create_mysql at contrib/ directory .. > > Best Regards, > > > > Sp0oKeR > > ----- Original Message ----- > > From: Grammer, <mailto:christopher.grammer@eds.com> Christopher S > > To: snort-users@lists.sourceforge.net > <mailto:snort-users@lists.sourceforge.net> > > Sent: Wednesday, December 10, 2003 7:03 PM > > Subject: [Snort-users] Remote NIDS > > > > I am looking for a method to have remote NIDS log alerts to a central > SNORT/Acid box running MySQL and Redhat 9.0. > > Anyone have a link for docs on this or recommendations? > > > > Chris > > > > --__--__-- > > Message: 2 > From: Erwin Van de Velde <erwin.vandevelde@ua.ac.be> > To: snort-users@lists.sourceforge.net > Date: Thu, 11 Dec 2003 00:14:37 +0100 > Subject: [Snort-users] Database output > > Hi, > > I'm using a postgresql database to store the output of my snort sensors, but > what happens if the database is temporarily unavailable (for instance, > connecting fails due to a heavy load on network / database)? Does snort keep > the queries for sending when database connectivity is restored? Or are these > queries dropped? > In my opinion, storing these queries temporarily is the safest solution, as we > must certainly log data when a severe attack on our network takes place... > And then chances are bigger that we can't connect to the database > immediately. > And does snort open a database connection for every query it sends? Or is > there some sort of persistent connection (for example one that times out > after 1 minute of inactivity, closing the connection then)... > I'd like to use SSL connections to the database, using stunnel, but opening a > connection for every query would have severe consequences for network and > server. > > Thanks in advance, > > Erwin Van de Velde > Student of Antwerp University > Belgium > > > > --__--__-- > > Message: 3 > From: "Mario Guerendo" <m.guerendo@comcast.net> > To: <snort-users@lists.sourceforge.net> > Date: Wed, 10 Dec 2003 18:31:16 -0500 > Subject: [Snort-users] Visual Basic excel graph > > This is a multi-part message in MIME format. > > ------=_NextPart_000_001E_01C3BF4B.CCA4A320 > Content-Type: text/plain; > charset="us-ascii" > Content-Transfer-Encoding: 7bit > > Hello everyone, > > > > I have a little project, I am trying to have a script/program that would > data on attacks, Denial of Service attacks to be precise. I would like to > dump the data in an excel spreadsheet and create pie chart /bar graph. > Anyone wiling to help? I am willing to pay a few bucks for this. > > > > Thx for the help. > > > > > > > ------=_NextPart_000_001E_01C3BF4B.CCA4A320 > Content-Type: text/html; > charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > > <html> > > <head> > <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = > charset=3Dus-ascii"> > <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered)"> > <style> > <!-- > /* Style Definitions */ > p.MsoNormal, li.MsoNormal, div.MsoNormal > {margin:0in; > margin-bottom:.0001pt; > font-size:12.0pt; > font-family:"Times New Roman";} > a:link, span.MsoHyperlink > {color:blue; > text-decoration:underline;} > a:visited, span.MsoHyperlinkFollowed > {color:purple; > text-decoration:underline;} > span.EmailStyle17 > {font-family:Arial; > color:windowtext;} > @page Section1 > {size:8.5in 11.0in; > margin:1.0in 1.25in 1.0in 1.25in;} > div.Section1 > {page:Section1;} > --> > </style> > > </head> > > <body lang=3DEN-US link=3Dblue vlink=3Dpurple> > > <div class=3DSection1> > > <p class=3DMsoNormal><font size=3D2 face=3DArial><span = > style=3D'font-size:10.0pt; > font-family:Arial'>Hello everyone,</span></font></p> > > <p class=3DMsoNormal><font size=3D2 face=3DArial><span = > style=3D'font-size:10.0pt; > font-family:Arial'> </span></font></p> > > <p class=3DMsoNormal><font size=3D2 face=3DArial><span = > style=3D'font-size:10.0pt; > font-family:Arial'>I have a little project, I am trying to have a > script/program that would data on attacks, Denial of Service attacks to = > be > precise. I would like to dump the data in an excel spreadsheet and = > create pie > chart /bar graph. Anyone wiling to help? I am willing to pay = > a few bucks for > this.</span></font></p> > > <p class=3DMsoNormal><font size=3D2 face=3DArial><span = > style=3D'font-size:10.0pt; > font-family:Arial'> </span></font></p> > > <p class=3DMsoNormal><font size=3D2 face=3DArial><span = > style=3D'font-size:10.0pt; > font-family:Arial'>Thx for the help.</span></font></p> > > <p class=3DMsoNormal><font size=3D2 face=3DArial><span = > style=3D'font-size:10.0pt; > font-family:Arial'> </span></font></p> > > <p class=3DMsoNormal><font size=3D2 face=3DArial><span = > style=3D'font-size:10.0pt; > font-family:Arial'> </span></font></p> > > </div> > > </body> > > </html> > > ------=_NextPart_000_001E_01C3BF4B.CCA4A320-- > > > > --__--__-- > > Message: 4 > Date: Wed, 10 Dec 2003 17:36:39 -0600 (CST) > Subject: Re: [Snort-users] Snort, Mysql purging > From: "Josh Berry" <josh.berry@netschematics.com> > To: "Jack Snedecor" <jsnedecor@geninfo.com> > Cc: snort-users@lists.sourceforge.net > > I HIGHLY suggest NOT deleting the information. I suggest having a > secondary archive db that you move stuff like Welchia too when you think > you don't need it anymore. That way you can keep the data and free up > resources on your primary DB. Then if you really need to delete the data > you can on the archive. > > Acid provides a drop-down bar to allow you to delete any query you run but > if you really want to purge the DB then use a truncate table [table_name] > command in MySQL. > > > New user.... > > > > > > > > I have installed snort, mysql and acid per the published instructions. > > Works great. > > > > I am by no means an expert at any of these though. > > > > What I have not found is a method to purge the database on a regular > > schedule. > > > > I had a minor welchia virus this week that drove the database size way up. > > Now > > > > acid is taking mins. to build pages. Can someone point me in the right > > direction? > > > > > > > > Jack Snedecor > > > > GiS > > > > VP, Network Operations Group > > > > -----Original Message----- > > From: Sp0oKeR Labs [mailto:spooker@spooker.com.br] > > Sent: Wednesday, December 10, 2003 6:47 PM > > To: Grammer, Christopher S; snort-users@lists.sourceforge.net > > Subject: Re: [Snort-users] Remote NIDS > > > > > > > > At your snort.conf, in all sensors use: > > > > > > > > output database: log, mysql, user=user_snort password=pass_snort > > dbname=db_snort host=ip_server_mysql_acid > > > > > > > > You can create the snort database with create_mysql at contrib/ directory > > . > > > > Best Regards, > > > > > > > > Sp0oKeR > > > > ----- Original Message ----- > > > > From: Grammer, <mailto:christopher.grammer@eds.com> Christopher S > > > > To: snort-users@lists.sourceforge.net > > <mailto:snort-users@lists.sourceforge.net> > > > > Sent: Wednesday, December 10, 2003 7:03 PM > > > > Subject: [Snort-users] Remote NIDS > > > > > > > > I am looking for a method to have remote NIDS log alerts to a central > > SNORT/Acid box running MySQL and Redhat 9.0. > > > > Anyone have a link for docs on this or recommendations? > > > > > > > > Chris > > > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: IBM Linux Tutorials. > > Become an expert in LINUX or just sharpen your skills. Sign up for IBM's > > Free Linux Tutorials. Learn everything from the bash shell to sys admin. > > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > > _______________________________________________ > > Snort-users mailing list > > Snort-users@lists.sourceforge.net > > Go to this URL to change user options or unsubscribe: > > https://lists.sourceforge.net/lists/...fo/snort-users > > Snort-users list archive: > > http://www.geocrawler.com/redir-sf.p...st=snort-users > > > > > Thanks, > Josh Berry, CTO > LinkNet-Solutions > 469-831-8543 > josh.berry@linknet-solutions.com > > > > --__--__-- > > Message: 5 > Subject: Re: [Snort-users] Snort, Mysql purging > From: Frank Knobbe <frank@knobbe.us> > To: snort-users@lists.sourceforge.net > Cc: Jack Snedecor <jsnedecor@geninfo.com>, Josh Berry <josh.berry@netschematics.com> > Date: Wed, 10 Dec 2003 17:56:46 -0600 > > > --=-USkW5a2E2A0LE8fQKEnH > Content-Type: text/plain > Content-Transfer-Encoding: quoted-printable > > On Wed, 2003-12-10 at 17:36, Josh Berry wrote: > > I HIGHLY suggest NOT deleting the information. I suggest having a > > secondary archive db that you move stuff like Welchia too when you think > > you don't need it anymore.=20 > > I guess that all depends on your or your company's policy. You can dump > certain data. I routinely dump the contents of the DATA table for > certain signatures after a period of time. I don't see a reason to keep > the same exact content for, say, the SQL-Slammer in the DB. Other > content (IPHDR and friends) is archived. But certain ballast is dumped. > > You need to consider the usefulness of the data. Will you ever go back > to data from IPHDR for an event that occurred a year ago? > > Perhaps this thread can evolve into a DB/data retention policy thread. > To yell categorically "yes" or "no' is wrong. The correct answer is > "depends" :) > > Cheers, > Frank > > > --=-USkW5a2E2A0LE8fQKEnH > Content-Type: application/pgp-signature; name=signature.asc > Content-Description: This is a digitally signed message part > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (FreeBSD) > > iD8DBQA/17K9po+MRgtrF98RAntEAKDiUMtIhr7y5KU2NbuCU2Y1no/KvgCeKSwG > 6jqbxVkgRIBXTJ5YhlorjCE= > =Oh/X > -----END PGP SIGNATURE----- > > --=-USkW5a2E2A0LE8fQKEnH-- > > > > --__--__-- > > Message: 6 > Date: Wed, 10 Dec 2003 21:16:53 -0600 (CST) > From: Ted Rolle <ted@php.net> > To: snort-users@lists.sourceforge.net > Subject: [Snort-users] src/snortman.tex > > Where is src/snortman.tex? It's mentioned in the Snort docs, but I've not > found it. Even after a Google search. Also is there an HTML version of > the docs with hyperlinking? > > Thanks > > > > --__--__-- > > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/...fo/snort-users > > > End of Snort-users Digest ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
