event correlation/aggregation;extrusion detection

[Jochen Kaiser <Jochen.Kaiser () rrze uni-erlangen de>]

Hi,

I am trying to use snort for extrusion detection for a large
class B network. As you can imagine, I get tons (i.e. hundreds
of thousands) of events - already specialized on bleeding-edge
snort rules on malicious activity. Logging this in a database
using the well known snort/acid scheme doesn't make sense. 

Has anyone of you implemented an alternative snort database
plugin? It would be nice to hear your thoughts before I do
develop my own one based on my personal needs for extrusion
detection.

Another one: are there guidelines for handling millions
of events with snort? Any experience? 

Are there any notable 'snort event correlation/aggregation' 
papers?

greetings and regards,
jk
-- 
Dipl. Inf. Jochen Kaiser, GPG 0x3C93A870, phone +49 9131 85-28681
Network Administration  mailto:jochen.kaiser () rrze uni-erlangen de
Regionales Rechenzentrum Universitaet Erlangen-Nuernberg, Germany


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users