Snort - [Snort-users] (no subject)

Author

[Snort-users] (no subject)

Peter Osterberg

2004-09-29, 7:57 pm

This is a multi-part message in MIME format...

------------=_1096457159-9610-484
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Hi,

I've been using Snort for some time now with database logging. It's the=20
Snort version that is used in PureSecure. I'm not quite sure how they=20
differ, if they do. Demarc has told me that there are some differences=20
between standard Snort and the PS version.
Anyway the problem I have is that reporting to the db is missed if some=20
kind of network connection problem occurs between the sensor and the db.

Is there some well known and practised way around this problem? I've been=
=20
thinking of logging traffic to disk using tcpdump and with a decent file=20
split size, say 1 MB. Check if there are finished files every 5 minutes,=20
check if there is a working connection with the db, process dump files,=20
report alerts and exit. Hang around for five more minutes and repeat. I've=
=20
noticed that the reported time for detected events is the timestamp when=20
the alert is stored in the database and not the timestamp of the tcppacket=
=20
that triggers the event. I guess that the SQL function "now()" is used in=
=20
the query!?

Does anyone now if I can specify that "now()" shouldn't be used or some=20
other way the reach my goals?

It just struck my mind that tcpdump most likely doesn't store timestamps=20
for every packet in raw mode. Can I tell it to do so and will Snort be able=
=20
to read it in case it is possible?

Sincerly
Peter =D6sterberg

Soda Produktion
Peter Osterberg
Zenithgatan 36
212 14 Malmo
Tfn: 040 93 07 07
Mobil: 0709 - 49 49 69
Fax: 040 - 93 14 94
Peter.se
Webb: www.sodapro.se

------------=_1096457159-9610-484--

-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjourn...guidepromo.tmpl
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users

Martin Roesch

2004-09-29, 7:57 pm

On Sep 29, 2004, at 7:25 AM, Peter Osterberg wrote:

> Anyway the problem I have is that reporting to the db is missed if
> some kind of network connection problem occurs between the sensor and
> the db.

Sounds like they're writing straight to the DB instead of spooling do
the local disk prior to writing the events to the DB. The downside to
doing it this way is that it's 1) slow (slows down Snort) and 2) lossy
in the event of a network outage.

> Is there some well known and practised way around this problem? I've
> been thinking of logging traffic to disk using tcpdump and with a
> decent file split size, say 1 MB. Check if there are finished files
> every 5 minutes, check if there is a working connection with the db,
> process dump files, report alerts and exit. Hang around for five more
> minutes and repeat. I've noticed that the reported time for detected
> events is the timestamp when the alert is stored in the database and
> not the timestamp of the tcppacket that triggers the event. I guess
> that the SQL function "now()" is used in the query!?

The "right way" to solve this problem is to use Barnyard and unified
output, that's what they were written for. I don't know if they'll
work with your "modified" Snort from Demarc, but it sounds like you've
got a problem that we've already solved here. I don't know if it'll
work with your commercial solution, but if you paid money for it you
should probably be getting support from them.

> Does anyone now if I can specify that "now()" shouldn't be used or
> some other way the reach my goals?

Digging around a little more, it looks like Barnyard won't work for you
if you're using the Puresecure backend, they've got their own modified
ACID-like output plugin and their own schema. You should contact
Demarc to see if they can come up with a solution for you.

> It just struck my mind that tcpdump most likely doesn't store
> timestamps for every packet in raw mode. Can I tell it to do so and
> will Snort be able to read it in case it is possible?

Tcpdump does store the timestamp with every packet, as does Snort in
pcap and unified output mode.

-Marty

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover. Determine. Defend.
roesch@sourcefire.com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjourn...guidepromo.tmpl
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users

Peter Osterberg

2004-09-29, 7:57 pm

Hi again,

thanks a lot for clarifying a lot to me. I have of course already contacted
Demarc about this, they won't help me since PureSecure will be a legacy
product some time soon. The software version of their product Sentaurus is
their answer. So I decided to try to solve the problem my self. That is why
I turned to you guys.

So now it looks like I have to chose from either bad timestamps in my
database or the risk of loosing alerts.

Thanks for your help!

/Peter

At 16:45 2004-09-29, Martin Roesch wrote:

>On Sep 29, 2004, at 7:25 AM, Peter Osterberg wrote:
>
>
>Sounds like they're writing straight to the DB instead of spooling do the
>local disk prior to writing the events to the DB. The downside to doing
>it this way is that it's 1) slow (slows down Snort) and 2) lossy in the
>event of a network outage.
>
>
>The "right way" to solve this problem is to use Barnyard and unified
>output, that's what they were written for. I don't know if they'll work
>with your "modified" Snort from Demarc, but it sounds like you've got a
>problem that we've already solved here. I don't know if it'll work with
>your commercial solution, but if you paid money for it you should probably
>be getting support from them.
>
>
>Digging around a little more, it looks like Barnyard won't work for you if
>you're using the Puresecure backend, they've got their own modified
>ACID-like output plugin and their own schema. You should contact Demarc
>to see if they can come up with a solution for you.
>
>
>Tcpdump does store the timestamp with every packet, as does Snort in pcap
>and unified output mode.
>
> -Marty
>
>--
>Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
>Sourcefire - Discover. Determine. Defend.
>roesch@sourcefire.com - http://www.sourcefire.com
>Snort: Open Source Network IDS - http://www.snort.org

-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjourn...guidepromo.tmpl
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users