Snort mailing list archives
Re: No alerts
From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 25 Mar 2002 18:47:36 -0800 (PST)
On Mon, 25 Mar 2002, Bill McCarty wrote: [...snip...]
But, my configuration seems to be sanctioned. From the users manual:
IMHO, Sanctioned == Suggested. This type of config _ISN'T_ suggested for large amounts of data. The output plugins do work in this fashion. They will get the data to the right places, _but_ at a cost. <see below> [...snip...]
So, am I one of a few rare birds actually stacking multiple output plugins? My guess is not, but it's merely a guess. I do see that the Honeynet folks use, or used, a similar configuration. In fact, I think I based mine on theirs. See <http://project.honeynet.org/papers/honeynet/snort.conf>.
Consider this about alert_full and alert_fast: alert_fast is a part of
alert_full--(I guess sub_set might be used here....). Since you are writing
the same data (75%) twice, why not drop alert fast and speed up your disk
writes and I/O waits?
The developers tend to deal with _large_ pipes DS3+ and want things to be as
fnorkin' fast as can be. :) On a slow net, honeynet or DSL homenet, things
are different.
You might also want to note that when the original config (for honey{net,pot})
that barnyard wasn't a reality. Now that it is, you can send to BY and have
it populate the DB for 'very near' realtime updates.
In any case, my question stands: Is there a convenient way to obtain near real-time alert reporting when logging only to a binary file?
IMHO? I'd say using BarnYard to send data to ACID or DeMarc or <homebrew solution>.
Otherwise, there's a strong reason for WANTING to stack multiple output plugins. Though it's certainly possible that doing so may increase the frequency or serverity of snort problems, despite evidence that doing so should work okay. I dunno.
Yes, you can and might even want to stack outputs. But, in my mind you are better off defining a custom rule type for all that type of output. I'm thinking about 'high speed' snorting here--But only the traffic that is 'really 3l33t' should be logged to all the types. Otherwise, just stuff it into the DB for analysis. But then again, I don't play a Incident Handler, even on TV. ;-) Good luck! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- No alerts Bill McCarty (Mar 25)
- Re: No alerts Erek Adams (Mar 25)
- Re: No alerts Bill McCarty (Mar 25)
- Re: No alerts Bill McCarty (Mar 25)
- <Possible follow-ups>
- Re: No alerts Bill McCarty (Mar 25)
- Re: No alerts Erek Adams (Mar 25)
- Re: No alerts Bill McCarty (Mar 25)
- Re: No alerts Erek Adams (Mar 25)
- Re: No alerts Erek Adams (Mar 25)