Re: network output strategies (was: Rotating '-b'logs...)

[Ben Hughes <ben.hughes () uk easynet net>]

On Tue, Jul 24, 2001 at 08:27:01AM -0400, Kiira Triea wrote:

> Hmmm... I've been thinking about this too but thought perhaps using
> perl's IO::Socket modules to write a local client for a UDP connection
> to the remote server - have snort sensors write to to the local client

ssh would probably be too expensive in all honesty, netcat or some perl,
i agree.. (:

> What would really work well for what I need is to be able to have 
> the server (Socket listener/data receiver) output to different
> sources depending on Alert directives - I want a database of alerts 
> to cover a large timespan for instance, but I want a binary tcpdump 
> to be triggered by an alert which would be linked by a database 
> key to the triggering alert - so that I can trace through a possible
> intrusion sequence.  I know that the "tag" and "session" directives
> address this... I just haven't gotten around to setting everything
> up the way I need it. Yikes I better get some coffee. 

coffee is the way, it is sounding XML'ing over the wire to somewhere
that sorts out what to do with it...

hmm, coffee..

-- 
Ben Hughes, <ben.hughes [at] uk.easynet.net>

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users