PortSentry vs. Snort

Jasmine jasmine.chua at securecirt.com
Wed Apr 30 08:53:40 CEST 2003
Previous message: PortSentry vs. Snort
Next message: PortSentry vs. Snort
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi 

I think it's not very feasible to extend check_mysql plugin and trigger that 
"go look at the IDS now" ..you may want to take a look at sguild on sf.net 
but then again its individual preference. 

:-) 


On Wednesday 30 April 2003 08:04, Jamie Baddeley wrote:
> Hi Jim,
>
> I've been using snort+acidlab+mysql for a while now. To be honest I've
> never considered fully integrating the two things other than superficially
> (i.e an IDS button in the side menu).
>
> Taking a quick look at what I've got, it seems that there's probably 3 ways
> to do it:
>
> 1. Extend check_mysql to look into fields of the relevant table of the
> snort db. (i.e look for sig_name blah in sig_name field inside acid_event
> table of snort db)
> 2. Do a check_http on a certain acidlab page and expect a certain response
> (yuck)
> 3. Scan /var/log/snort/alert and look for "something" (yuck)
>
> It seems to me that extending check_mysql to look inside the db would
> useful to other people too for different needs.
>
> The approach I've detailed above tends to fail if you've got a major
> intrusion on your hands and you've got stream of alerts. But if if want it
> to be a trigger to "go look at the IDS now!" then it should work fine.
>
> Other approaches would probably involve the snort module sending something
> to a nagios passive check via a unixsocket (perhaps) or maybe using
> alert_fast and check_log.pl.
>
> I think your approach depends on how you want to be aware of an intrusion.
> Do you want to wait for a periodic check, or do you need to be notified as
> it happens (i.e quasi real time).
>
> Looking at the Portsentry used to operate I'd guess passive right? So it'd
> involve this:
> http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.5
>
> peace.
>
> jamie
>
>
>
>
>
> ----- Original Message -----
> From: "Carroll, Jim P [Contractor]" <jcarro10 at sprintspectrum.com>
> To: "Nagios-Users" <nagios-users at lists.sourceforge.net>
> Sent: Wednesday, April 30, 2003 10:16 AM
> Subject: [Nagios-users] PortSentry vs. Snort
>
> > It seems that PortSentry itself is no longer available.  Either that, or
>
> I'm looking in the wrong places.
>
> > However, Snort *is* an option.  Has anyone integrated Snort with Nagios?
> >
> > jc
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Nagios-users mailing list
> > Nagios-users at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/nagios-users
> >
> > ::: Please include Nagios version, plugin version (-v) and OS when
>
> reporting any issue.
>
> > ::: Messages without supporting info will risk being sent to /dev/null
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
>
> ::: Please include Nagios version, plugin version (-v) and OS when
> ::: reporting any issue. Messages without supporting info will risk being
> ::: sent to /dev/null

- -- 
Jasmine Chua


"Without change, something sleeps inside us, and seldom awakens.  The
sleeper must be awaken." -- Duke Leto Atreides
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+r3L4NgvTa7Hj2AURAmaUAKCfSHsExl7wMBOBbQcVdW4I9rmNEgCffxG7
1VonTFzH7s6CW/01Agm4rgc=
=bjuD
-----END PGP SIGNATURE-----



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: PortSentry vs. Snort
Next message: PortSentry vs. Snort
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list