RE: Changing the filename format for alerts

[Matt Yackley <Matt.Yackley () perkinswill com>]

SnortSnarf creates some nice front-end pages to group alerts, gives totals,
etc., and navigate through the different alert types, then once you get down
to the detailed alert page it produces a link to the packet capture file,
i.e. url that points to something like \x.x.x.x\TCP_3936-80.  Since it uses
the ASCII file that snort uses to store the packet capture portion of the
alert, I have to configure Snort to store the file in format that works
under Linux or windows. There was also a little tweaking to the SnortSnarf
perl code to get that to produce relative links instead of hard links.

I'm setting up a test box right now, so I'll be able to try some stuff out.
My buddy just sent back something back so I'll try his changes to the code
and see if it will compile and run....

Matt
-----Original Message-----
From: Erek Adams [mailto:erek () theadamsfamily net]
Sent: Tuesday, October 15, 2002 3:28 PM
To: Matt Yackley
Cc: 'McKim, Tim'; Snort-Users (E-mail)
Subject: RE: [Snort-users] Changing the filename format for alerts


On Tue, 15 Oct 2002, Matt Yackley wrote:

> Snort and SnortSnarf, one for each side of the firewall.  I run a weeks
> worth of data then tar the whole html tree that snortsnarf creates and ftp
> it to a windows machine.  Once on the windows box the whole tree get
burned
> to a CD for storage so all I need to do is drop the CD in any PC and
> navigate through the HTML just like it was on the server.

Hrm...  Ok, I don't use snortsnarf, so this might be a silly question:
Since
'the html tree that snortsnarf creates' is built by it, isn't that what's
really giving you the issues with the filenames?  I'm not sure, so I had to
ask.  :)

> Anyway that's my messed up way of viewing and archiving data, but it works
> for me.  I ran into all kinds of issues between Snort and SnortSnarf and
> trying to use : and then try the renaming route, etc., but the best way
for
> me is to just use _ instead.

Naaa....  It's not messed up.  I'd say it might be quite a bit more common
that you think.

> Your suggestion may work well for others though, thanks again for the
help.

:)  Well there is a way to do it.  I'm just not sure where you'd need to
edit
the code at yet.  I'll grunge thru it later on and see if I can come up with
something.

> BTW, I'm forced to use Outlook and I love seeing your Outlook flag!

;-)  It's simple yet effective.  Besides, I hate virus propagation programs
that try to pretend to be an email client.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


-------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?http://www.viaverio.com/
consolidator/osdn.cfm


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users