Snort mailing list archives
RE: How do you deal with large 'alert' files?
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Thu, 26 Sep 2002 18:43:46 -0400
What I do is use the "split" utility to break the alert file up into, say, 70 mb pieces, then run the a report against each. Yes it's an ugly manual process, but it doesn't happen to me that much where there alert files get that huge. The threshold option sounds great! Can't wait to try it. By the way, not sure if you've ever tried snort_stat.pl, but it BLOWS away Snortsnarf when it comes to thorough, friendly reports. -----Original Message----- From: Martin Roesch [mailto:roesch () sourcefire com] Sent: Thursday, September 26, 2002 3:09 PM To: Vieth, Scott; 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] How do you deal with large 'alert' files? On 9/26/02 11:38 AM, "Vieth, Scott" <svieth () mail mcw edu> wrote:
Hi: We've had some problems with Denial of Service attacks lately. The
machines
running the attack are on our inside network and they're attacking sites
on
the Internet. The Snort signature "DDOS shaft synflood" triggers like mad when the DOS is running. This makes my alert file get very large, very quickly. I'm happy that Snort sees the traffic and SnortSnarf generates a cool html report to show us which system on our network is doing the attacking. But sometimes the alert file gets so big (I roll my alert file every day at midnight) that SnortSnarf can't process it. How do Snort users deal with this?
If you switch to 1.9 (which should be out tomorrow or so) you can use the threshold code and add a threshold so that you're only notified every 100 events or so. Thresholds work like this: threshold: <count>,<time>,<hash> <count> = number of events <time> = number of seconds <hash> = data to hash on, valid values of <hash> are "event", "ip" and "port" "port" hashes using the sid, source IP, dest IP and dest port. "Ip" hashes using the sid, source IP and dest IP. "Event" hashes using the sid and source IP. What this means practically is that specifying "event" will gather all events with that sid and source IP into the threshold tracker, "ip" gathers all events with the same sid, src IP and dst IP, and "port" gathers all events with the same sid, src IP, dst IP and dest port. Add this to the rule and I think it'll do what you want. threshold: 100, 10, event;
If I routed the output of Snort into a database and then used ACID to run reports, would that solve this problem? Thanks in advance for any help, -Scott Vieth p.s. We've already patched the systems that were hacked so any ne'er-do-wells who read the Snort list and think that they should start probing our address range will be wasting their time. :^)
-Marty -- Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How do you deal with large 'alert' files? Vieth, Scott (Sep 26)
- Re: How do you deal with large 'alert' files? Martin Roesch (Sep 26)
- <Possible follow-ups>
- RE: How do you deal with large 'alert' files? Sheahan, Paul (PCLN-NW) (Sep 26)