O'Reilly Open Source Convention - August 1-5, 2005

Tutorial
Getting the Right Answers From Snort
Jeremy Brinkley, Lead Security Engineer, EDS

Track: Security
Date: Monday, August 1st, 2005
Time: 1:30pm - 5:00pm
Location: E141
Snort is one of the most widely deployed network intrusion detection systems (NIDS) in the world. Helpfully, all its (sometimes copious) data can be logged to a database; but not many security administrators are database experts. Tools like ACID can be used to perform general queries of the Snort database, but it's often desirable to do custom reporting or even write your own database interface.

In this tutorial, Brinkley shows how to use SQL to query the Snort database and provide an understanding of the tables necessary to get the most from the data. He covers constructing the appropriate queries to find unusual TCP flag combinations, query by subnet, and other things that may not be directly clear. In addition, Brinkley discusses some possible useful extensions (and how to create and use them) to the Snort schema to enable better custom reporting; and database administration tasks specially considered for Snort, such as making backups and controlling concurrency.

Although Brinkley's examples focus on MySQL, the tutorial will be useful to anyone using Snort.