PortSentry vs. Snort

[Jamie Baddeley]

Hi Jim,

I've been using snort+acidlab+mysql for a while now. To be honest I've never
considered fully integrating the two things other than superficially (i.e an
IDS button in the side menu).

Taking a quick look at what I've got, it seems that there's probably 3 ways
to do it:

1. Extend check_mysql to look into fields of the relevant table of the snort
db. (i.e look for sig_name blah in sig_name field inside acid_event table of
snort db)
2. Do a check_http on a certain acidlab page and expect a certain response
(yuck)
3. Scan /var/log/snort/alert and look for "something" (yuck)

It seems to me that extending check_mysql to look inside the db would useful
to other people too for different needs.

The approach I've detailed above tends to fail if you've got a major
intrusion on your hands and you've got stream of alerts. But if if want it
to be a trigger to "go look at the IDS now!" then it should work fine.

Other approaches would probably involve the snort module sending something
to a nagios passive check via a unixsocket (perhaps) or maybe using
alert_fast and check_log.pl.

I think your approach depends on how you want to be aware of an intrusion.
Do you want to wait for a periodic check, or do you need to be notified as
it happens (i.e quasi real time).

Looking at the Portsentry used to operate I'd guess passive right? So it'd
involve this:
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.5

peace.

jamie





----- Original Message -----
From: "Carroll, Jim P [Contractor]" <jcarro10 at sprintspectrum.com>
To: "Nagios-Users" <nagios-users at lists.sourceforge.net>
Sent: Wednesday, April 30, 2003 10:16 AM
Subject: [Nagios-users] PortSentry vs. Snort


> It seems that PortSentry itself is no longer available.  Either that, or
I'm looking in the wrong places.
>
> However, Snort *is* an option.  Has anyone integrated Snort with Nagios?
>
> jc
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when
reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
>



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null