Re: Snort Snarf

[James Hoagland <hoagland () SiliconDefense com>]

At 2:52 PM -0800 2/21/02, Scott Taylor wrote:
> If that's true....then it could be hours before
> you know you've been hacked on?

SnortSnarf is not currently designed for real-time monitoring.  (With 
some amount of work it could be made so.)

If you are concerned about immediate notification of attacks, you 
might set up logwatch or similar to send you e-mail or page you about 
some high priority event.  Then use SnortSnarf every day or every 
couple hours or whatever to look over all your alerts.

It all depends on what your needs are.  For example, are you going to 
have someone looking at the alerts 24/7?

In the interest of fairness, I will also mention ACID and PureSecure, 
which are designed for real-time monitoring.

>  Or if you rotate the files will
> you loose info? Does snortsnarf when run just
> add the info to the already existing files in
> the html area or does it replace them
> completely, so everything not in the log's at
> the time it's run will not be shown on the
> updated page?

Each run of SnortSnarf is independent.  The destination directory is 
not inspected until the output phase at which point it is cleared.

Best regards,

  Jim

--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users