PortSentry vs. Snort

Jonathan Gill jonathan.gill at securecirt.com
Wed Apr 30 09:40:20 CEST 2003
Previous message: PortSentry vs. Snort
Next message: left-frame links
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi All.

There is another choice that may be worth looking at.  

Prelude.  Its a hybrid IDS that can work with snort and with "other" log 
files, from claims I have heard it works with nagios, but I havn't 
tried it personally.

url is http://www.prelude-ids.org/ 

Should give you a way to tie all events, both nagios and ids together.

Hope this helps.

Jonathan


On Wednesday 30 April 2003 2:53 pm, Jasmine wrote:
> Hi
>
> I think it's not very feasible to extend check_mysql plugin and
> trigger that "go look at the IDS now" ..you may want to take a look
> at sguild on sf.net but then again its individual preference.
>
> :-)
>
> On Wednesday 30 April 2003 08:04, Jamie Baddeley wrote:
> > Hi Jim,
> >
> > I've been using snort+acidlab+mysql for a while now. To be honest
> > I've never considered fully integrating the two things other than
> > superficially (i.e an IDS button in the side menu).
> >
> > Taking a quick look at what I've got, it seems that there's
> > probably 3 ways to do it:
> >
> > 1. Extend check_mysql to look into fields of the relevant table of
> > the snort db. (i.e look for sig_name blah in sig_name field inside
> > acid_event table of snort db)
> > 2. Do a check_http on a certain acidlab page and expect a certain
> > response (yuck)
> > 3. Scan /var/log/snort/alert and look for "something" (yuck)
> >
> > It seems to me that extending check_mysql to look inside the db
> > would useful to other people too for different needs.
> >
> > The approach I've detailed above tends to fail if you've got a
> > major intrusion on your hands and you've got stream of alerts. But
> > if if want it to be a trigger to "go look at the IDS now!" then it
> > should work fine.
> >
> > Other approaches would probably involve the snort module sending
> > something to a nagios passive check via a unixsocket (perhaps) or
> > maybe using alert_fast and check_log.pl.
> >
> > I think your approach depends on how you want to be aware of an
> > intrusion. Do you want to wait for a periodic check, or do you need
> > to be notified as it happens (i.e quasi real time).
> >
> > Looking at the Portsentry used to operate I'd guess passive right?
> > So it'd involve this:
> > http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.5
> >
> > peace.
> >
> > jamie
> >
> >
> >
> >
> >
> > ----- Original Message -----
> > From: "Carroll, Jim P [Contractor]" <jcarro10 at sprintspectrum.com>
> > To: "Nagios-Users" <nagios-users at lists.sourceforge.net>
> > Sent: Wednesday, April 30, 2003 10:16 AM
> > Subject: [Nagios-users] PortSentry vs. Snort
> >
> > > It seems that PortSentry itself is no longer available.  Either
> > > that, or
> >
> > I'm looking in the wrong places.
> >
> > > However, Snort *is* an option.  Has anyone integrated Snort with
> > > Nagios?
> > >
> > > jc
> > >
> > >
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by:ThinkGeek
> > > Welcome to geek heaven.
> > > http://thinkgeek.com/sf
> > > _______________________________________________
> > > Nagios-users mailing list
> > > Nagios-users at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/nagios-users
> > >
> > > ::: Please include Nagios version, plugin version (-v) and OS
> > > ::: when
> >
> > reporting any issue.
> >
> > > ::: Messages without supporting info will risk being sent to
> > > ::: /dev/null
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Nagios-users mailing list
> > Nagios-users at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/nagios-users
> >
> > ::: Please include Nagios version, plugin version (-v) and OS when
> > ::: reporting any issue. Messages without supporting info will risk
> > ::: being sent to /dev/null

- -- 
Jonathan Gill              +65 98551701
Chief Technology Officer   +65 62436800
SecureCiRT Pte Ltd
http://www.securecirt.com/
PGP : 315C 314D CD36 CBFF 728E F167 FCD8 15B7 0287
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+r33k/Nj+exW3AocRAtqjAJsFswxkIwa8EB/r1tOeFLAKI/D+AQCfaHdZ
nxSXCH80pWvZn5fQ4MN10VM=
=IsNT
-----END PGP SIGNATURE-----



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: PortSentry vs. Snort
Next message: left-frame links
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list