192
Chapter 6     Using ACID and SnortSnarf with Snort
Navigation buttons are provided in this window that can be used to move to next
and previous alerts. Different colors are used to indicate different headers of the packet,
which makes it very easy to understand visually.
6.3.4
Searching
One important feature of ACID is that it can be used to search the captured log
and alert data based on parameters such as:
  A particular sensor when you are using a central database to log data from
many Snort sensors.
  Time of alert using start and ending time. This is very useful if you want to look
at alerts that occurred within a specific period of time.
  Source and destination addresses.
  Different fields in the IP packet header.
  Transport layer protocols.
  String of data in the payload area of the IP packet.
If you look at the screen shot shown in Figure 6 7, you can see that searching for
data in the database is very easy. All the criteria that you specify in this screen are trans 
lated to a SQL statement that is passed to the MySQL database server. Results of your
query are displayed when you click the  Query DB  button.
For example, if you want to search all alerts for which the signature field contains
the string  ATTACK RESPONSE , you can fill out information as shown in Figure 6 8.
The result of this search is shown in Figure 6 9, where all alerts containing this
string are displayed. You can click a particular alert line to find out more information
about that alert.
I would strongly recommend spending some time with the search methods of
ACID to get acquainted to it.
Snort can also be used to find fully qualified names for source and destination
addresses found in captured data. Figure 6 10 shows unique destination IP addresses
and hostnames. For the sake of this screen shot and to create some data in the database,
I had to use a rule that creates an alert for all outgoing HTTP requests. Of course it is
not intrusion activity, but it does provide some data in the Snort database.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

toronto web hosting

 

Our partners: PHP: Hypertext Preprocessor Cheap Web Hosting JSP Web Hosting Ontario Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Java Hosting Cheapest Hosting

Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved