populating SNORT/ACIDLAB/ACIDBASE database with ulogd

eentonig · 08-28-2008, 01:48 PM

Does anybody here uses ulogd in combination with ACIDBASE to log, monitor and report on dropped packets?

And how did you succeed in parsing your logged packets into the snort database?

I tried logsnorter-2.0, but although it doesn't give any error messages, it doesn't log anything.

I have 'iptables logs' running with ulogd, which inserts records into a ulogd database. But I find the output of 'iptables logs' a bit limited and crippled. So I wanted to use ACIDBASE which seems to be more developped. But it doesn't help me if I can't get the logging going.

Always willing to show the necessary configs if required.

Thanks,

unSpawn · 08-30-2008, 06:01 AM

I don't understand. Maybe explain in detail what you mean by "limited and crippled" and what you expect or envision? I also don't understand how you intend to merge things. Snort logs packet data plus analysis data. So ACID, as an *analysis* engine, allows you to work on, interrogate, Snort logs for characteristics they both "know". Iptables output does not share the same characteristics. So how would you "translate" or fill fields in a way ACID can work with? If your requirement is just to have a web interface, like BASE bascially is, for querying a database, then shouldn't you be looking into existing solutions for that? I'm sure Freshmeat or Sourceforge should show some.

eentonig · 08-31-2008, 04:28 AM

From the ACID website

Quote:

ACID has the ability to analyze a wide variety of events which are post-processed into its database. Tools exist for the following formats:

* using Snort (www.snort.org)
o Snort alerts
o tcpdump binary logs
* using logsnorter ( www.snort.org/downloads/logsnorter-0.2.tar.gz)
o ipchains
o iptables
o ipfw

Which, as I understand it, means that ACID can be used to analyze firewall events. To do this, it uses logsnorter to feed iptables events in the ACID database.

My problem is that logsnorter doesn't put anything in the ACID database. And, if nothing is being put in the database, ACID has nothing to analyze. As such, it's functionality is of no use.

I read on the snort website that logsnorter is currently no longer maintained. So I wanted to find out if there are new/other alternatives to get my logging into the ACID database. For example: ulogd is working perfectly for me to register all Firewall events in a MySQL datase, so I wondered if I could use ulogd to populate the ACID database.

So Basically.
- logsnorter isn't working for me. And currently I have no clue why not.
- I need a solution to get usefull information into ACID.
- Logsnorter is no longer maintained.

==> 1. Do I spent time on getting logsnorter to work? Where can I find info, troubleshooting assistance on it? Is it worth the effort, considering it's no longer maintained.
==> 2. Are there alternatives?

unSpawn · 08-31-2008, 05:26 AM

Ah, OK. Maybe check http://sourceforge.net/mailarchive/f...me=snort-users or post to snort-users@lists.sourceforge.net ?