Snort mailing list archives
Re: Future features???
From: counter.spy () gmx de
Date: Sun, 12 May 2002 11:32:51 +0200 (MEST)
Paul, I am not sure about this, but I think from the name they gave this tool (analysis console for intrusion databases) it's rather for forensic analysis than for alerting purposes. I doubt that realtime alerts will be added to this tool (but who knows...). However, ACID is not very far from being a realtime alerting tool, anyway, because the page refreshes every few seconds and shows you if there are new alerts in the alert cache. Okay, maybe this is not exactly what you are looking for, but I've found that the realtime alerting tool of an another IDS that I have tested, which was really designed to be a realtime alerting tool, is not that useful as it could be, i.e. during periods of high activity the event-tree is refreshing all the time so you are not able any more to select and drill down properly - the events "slip away" under the mouse cursor. In the realtime windows the events are floating by with such speed, that spying out a certain event and clicking on it is rather difficult. Would you like to stare at such a window all day long? Thus I am prefering ACID over this tool _that_shall_not_be_named_ ;-) But I agree that we probably have all need for a really good realtime alerting tool as an addition to ACID. A hint for all developers or potentional developers of such tools, free or commercial (hi Marty, wink, wink, aren't you working on such a tool for your commercial snort appliances? ;-) ): It would be great if you would include a feature that allows to "freeze" the realtime output in order to be able to view or select certain events even during high activity periods (whithout stopping collection of events in the background). Aggregation of events of the same kind under one single event would be useful, too. Instead of letting all events float over the screen you should only increment a counter, e.g. for portscans, and then show a table or matrix of events which maps events to src and dst addresses and ports. Just my 0.0001 cents. Paul.Fiero () ci austin tx us writes:
I was curious to know if anyone had heard anything about potential for real time alerts being available in future versions of ACID. I am in dire need of the facility and would love to see this feature added.
Greetings, Detmar -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Future features??? Paul . Fiero (May 11)
- Re: Future features??? Wayne T Work (May 12)
- Re: [despammed] Re: Future features??? Ed McMan (May 12)
- <Possible follow-ups>
- Re: Future features??? counter . spy (May 12)
- RE: Future features??? larosa, vjay (May 12)
- Re: Future features??? Wayne T Work (May 12)