RE: RE: arachNIDS, CVE, bugtraq

["L. Christopher Luther" <CLuther () Xybernaut com>]

IDScenter does not use plugins.  Instead, it actively monitors the Snort
alert log file (i.e., alert.ids) looking for changes.  When Snort updates
the alert.ids file, IDScenter notes the change and generates an e-mail
notification message, attaching the last 'n' line of the alert.ids file to
the message.  

Since I do not have any installed database to support Snort (e.g., MySQL), I
use the "-G url" option so that I can quickly click on the hyperlink that
appears in the IDScenter e-mail message.  Without the "-G url" option, the
text in the alert.ids required more "thought" on my part to obtain the alert
reference details.  

*SUPPOSEDLY* IDScenter can monitor a MySQL Snort database, but w/o an
installation of MySQL, I don't know if I'll get the same information in the
notification e-mail messages or not.  

This is a Win32 installation of Snort.  Do you know of any other Win32 based
agents for monitoring Snort?  Agents that do not require a web server?

- Christopher 


-----Original Message-----
From: Andrew R. Baker [mailto:andrewb () snort org]
Sent: Tuesday, November 19, 2002 12:58 PM
To: L. Christopher Luther
Cc: 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] RE: arachNIDS, CVE, bugtraq


L. Christopher Luther wrote:
> Hack or not, it's been a useful feature when one is using IDScenter.  
> What, if anything, will "-G" be replaced with??? 

All of the output plugins should support displaying reference 
information natively.  The "-G" hack is being removed because it was 
used to change the signature message itself to include reference details 
before output plugins supported them.

What output plugin does IDScenter require?

-A