#1 inserting non NIDS events?

[Bret Watson]

Hi Roman,
I'm restarting work on teh Snort Adapter (should really be called the ACID adapter I guess) -
https://sourceforge.net/projects/snortadapter/

I'm working on inserting FW-1 events into the ACID db...

The log looks something like...

num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;rule;icmp-type;icmp-code;servic
e;s_port;len;reason:;xlatesrc;xlatedst;xlatesport;xlatedport;IKE Log:;sys_msgs
0;6Sep2001;15:50:40;202.95.73.204;control;ctl;;eth-s1p2c0;inbound;;;;;;;;;;;;;;;;installed Standard
1;6Sep2001;16:21:39;202.95.73.204;control;ctl;;daemon;inbound;;;;;;;;;;;;;;;;started sending log
to localhost
2;6Sep2001;16:21:35;202.95.73.204;control;ctl;;eth-s1p2c0;inbound;;;;;;;;;;;;;;;;installed Standard
3;6Sep2001;16:21:36;202.95.73.204;log;accept;;eth-s1p4c0;inbound;icmp;192.168.0.2;202.95.73.2
04;1;8;0;;;;;;;;;;
4;6Sep2001;16:21:36;202.95.73.204;log;accept;;eth-s1p4c0;inbound;vrrp;202.95.73.205;224.0.0.18
;1;;;21761;8458;40;;;;;;;
5;6Sep2001;16:21:39;202.95.73.204;control;ctl;;eth-s1p2c0;inbound;;;;;;;;;;;;;;;;new interface
configuration

As you can see all the info is generally there to insert events in, but I'm really stuck as to how to
get them in so that ACID will display them (a quick run over a sample file make ACID show stats for
how many tcp/udp/icmp packets there are, but won't show the event..

Also you can see there are events that are useful, but are not NIDS events (the control) events...

Any suggestions as to inserting these non-NIDS events and getting them displayed? - the current
snort adapter available is out of date (it uses the old db schema) but you'll see how I'm inserting
events (search for "sub insert_event" if you want to look)

Thanks,

Bret

[Bret Watson]

logproc-0.1.pl - the current version