Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] (no subject)

from [Peter Osterberg] Network Security [Permanent Link]
Subject: [Snort-users] (no subject)
Date: Wed, 29 Sep 2004 13:25:56 +0200 
Hi,

I've been using Snort for some time now with database logging. It's the Snort version that is used in PureSecure. I'm not quite sure how they differ, if they do. Demarc has told me that there are some differences between standard Snort and the PS version.
Anyway the problem I have is that reporting to the db is missed if some kind of network connection problem occurs between the sensor and the db.

Is there some well known and practised way around this problem? I've been thinking of logging traffic to disk using tcpdump and with a decent file split size, say 1 MB. Check if there are finished files every 5 minutes, check if there is a working connection with the db, process dump files, report alerts and exit. Hang around for five more minutes and repeat. I've noticed that the reported time for detected events is the timestamp when the alert is stored in the database and not the timestamp of the tcppacket that triggers the event. I guess that the SQL function "now()" is used in the query!?

Does anyone now if I can specify that "now()" shouldn't be used or some other way the reach my goals?

It just struck my mind that tcpdump most likely doesn't store timestamps for every packet in raw mode. Can I tell it to do so and will Snort be able to read it in case it is possible?

Sincerly
Peter Österberg



Soda Produktion
Peter Osterberg
Zenithgatan 36
212 14  Malmo
Tfn: 040 93 07 07
Mobil: 0709 - 49 49 69
Fax: 040 - 93 14 94
Peter.se
Webb: www.sodapro.se

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Snort Tool Evaluation, Ty Bodell
Next by Date:  RE: [Snort-users] disable http_inspect for external www servers, M Shirk
Previous by Thread:  RE: [Snort-users] (no subject), Esler, Joel - Contractor
Next by Thread:  Re: [Snort-users] (no subject), Martin Roesch
Indexes:  [Date] [Thread] [Top] [All Lists]