Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] (no subject)

from [Peter Osterberg] Network Security [Permanent Link]
Subject: Re: [Snort-users] (no subject)
Date: Wed, 29 Sep 2004 17:46:14 +0200 
Hi again,

thanks a lot for clarifying a lot to me. I have of course already contacted Demarc about this, they won't help me since PureSecure will be a legacy product some time soon. The software version of their product Sentaurus is their answer. So I decided to try to solve the problem my self. That is why I turned to you guys.

So now it looks like I have to chose from either bad timestamps in my database or the risk of loosing alerts.

Thanks for your help!

/Peter

At 16:45 2004-09-29, Martin Roesch wrote:

On Sep 29, 2004, at 7:25 AM, Peter Osterberg wrote:

Anyway the problem I have is that reporting to the db is missed if some kind of network connection problem occurs between the sensor and the db.

Sounds like they're writing straight to the DB instead of spooling do the local disk prior to writing the events to the DB. The downside to doing it this way is that it's 1) slow (slows down Snort) and 2) lossy in the event of a network outage.

Is there some well known and practised way around this problem? I've been thinking of logging traffic to disk using tcpdump and with a decent file split size, say 1 MB. Check if there are finished files every 5 minutes, check if there is a working connection with the db, process dump files, report alerts and exit. Hang around for five more minutes and repeat. I've noticed that the reported time for detected events is the timestamp when the alert is stored in the database and not the timestamp of the tcppacket that triggers the event. I guess that the SQL function "now()" is used in the query!?

The "right way" to solve this problem is to use Barnyard and unified output, that's what they were written for. I don't know if they'll work with your "modified" Snort from Demarc, but it sounds like you've got a problem that we've already solved here. I don't know if it'll work with your commercial solution, but if you paid money for it you should probably be getting support from them.

Does anyone now if I can specify that "now()" shouldn't be used or some other way the reach my goals?

Digging around a little more, it looks like Barnyard won't work for you if you're using the Puresecure backend, they've got their own modified ACID-like output plugin and their own schema. You should contact Demarc to see if they can come up with a solution for you.

It just struck my mind that tcpdump most likely doesn't store timestamps for every packet in raw mode. Can I tell it to do so and will Snort be able to read it in case it is possible?

Tcpdump does store the timestamp with every packet, as does Snort in pcap and unified output mode.

     -Marty

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch@sourcefire.com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] Re: Snort Tool Evaluation, Richard Bejtlich
Next by Date:  Re: [Snort-users] Snort Tool Evaluation, Dirk Geschke
Previous by Thread:  Re: [Snort-users] (no subject), Martin Roesch
Next by Thread:  [Snort-users] I sTarted from the beagining !!!!!!, Juan Fernandez
Indexes:  [Date] [Thread] [Top] [All Lists]