Snort mailing list archives
Re: Snortsam patch for 2.9.3.1
From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 19 Nov 2012 17:01:33 -0500
On 11/19/2012 16:38, Jeremy Hoel wrote:
And the answer to your question is yes. You can still leave the snort.conf output to write to the text alert files and also add the unified2 file and let barnyard2 work on that and migrate over to a new front end over time.
that's what i was thinking/hoping... i also just want to clarify the files i'm speaking of... 1. there is only one alert file that is ascii text... this file builds over time until some external process removes it... 2. the snort.log.xxxxxxxxxx files are pcap files where snort has saved the packet(s) that make up an alert... there's one file used for each run of snort... if you run snort 4 times in a period, there will be 4 of these files... 3. there are /no/ output plugins defined in the snort.conf... the above mentioned output files are defaults that snort uses automatically unless they are overridden (i guess)...
On Nov 19, 2012 9:53 AM, "waldo kitty" <wkitty42 () windstream net <mailto:wkitty42 () windstream net>> wrote: On 11/19/2012 12:34, Joel Esler wrote: > All output methods are available there. Leaving Snort to do its job as an IDS. i love bikinis! they're short and to the point ;) OB-) [/DOM] but seriously... other than analysis of the alert file and possibly looking at the packets saved in the snort.log.xxxxxxxxxx files, what benefits are there for these small systems? you still need some kind of "front end" right? can barnyard2 be added without loosing or changing what is already available in the existing alert and snort.log.xxxxxxxxxx files? hopefully the answer is "yes" so that existing practice can still be used while BY2 is being incorporated and learned (based on the real benefits it may offer)...
------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snortsam patch for 2.9.3.1, (continued)
- Re: Snortsam patch for 2.9.3.1 Luis Daniel Lucio Quiroz (Nov 18)
- Re: Snortsam patch for 2.9.3.1 Joel Esler (Nov 18)
- Re: Snortsam patch for 2.9.3.1 Jeff Kell (Nov 18)
- Re: Snortsam patch for 2.9.3.1 firnsy (Nov 18)
- Re: Snortsam patch for 2.9.3.1 Robert Z (Nov 18)
- Re: Snortsam patch for 2.9.3.1 waldo kitty (Nov 19)
- Re: Snortsam patch for 2.9.3.1 Joel Esler (Nov 19)
- Re: Snortsam patch for 2.9.3.1 waldo kitty (Nov 19)
- Re: Snortsam patch for 2.9.3.1 Paul Schmehl (Nov 19)
- Re: Snortsam patch for 2.9.3.1 Jeremy Hoel (Nov 19)
- Re: Snortsam patch for 2.9.3.1 waldo kitty (Nov 19)
- Re: Snortsam patch for 2.9.3.1 Jeremy Hoel (Nov 19)
- Re: Snortsam patch for 2.9.3.1 waldo kitty (Nov 19)
- Re: Snortsam patch for 2.9.3.1 Luis Daniel Lucio Quiroz (Nov 18)