Snort mailing list archives
Re: Snort XML Output
From: Joe McAlerney <joey () SiliconDefense com>
Date: Tue, 05 Jun 2001 10:22:05 -0700
Hello Jason, "Jason M. Frey" wrote:
Trying to determine the best management methods for logs and alerts. Can anyone offer some advice on the following methods/tools? XML Output?
Very customizable. You can take advantage of a number of XML enabled tools out there. Alerts can be transported over a secure connection. There is more information in the README.xml file.
ACID?
Real time viewing of events. PHP front end to a database. Alert management. Detailed searching options. Graphing of alert groups (one of my favorites). Support for multiple Snort sensors. Quick links to a breakdown by protocol, alert, address, time. See the following link for more information: http://www.cert.org/kb/acid/
SnortSnarf?
Parses Snort alert files into HTML pages. Multiple sorting options. Displays the original rule that triggered the alert. This is helpful in determining whether or not an alert is a false positive. Annotations support. SPADE anomaly detection section. Incident storage and response.
logs - tcpdump vs. full
tcpdump - Greatly reduces the chance of packets being dropped. Can be re-read into Snort and output again in another format (XML, Database, Full alert, etc.). full - The files are instantly produced in a format that is parseable by SnortSnarf, or other log file parsers. This format is often nice to archive using tar with compression. My 2 cents, -Joe M. -- | Joe McAlerney joey () silicondefense com | | Silicon Defense - Technical Support for Snort | | http://www.silicondefense.com/ | +-- --+ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort XML Output Jason M. Frey (Jun 04)
- Re: Snort XML Output Joe McAlerney (Jun 05)
- Re: Snort XML Output Chris Green (Jun 05)
- Re: Snort XML Output Joe McAlerney (Jun 05)