Snort mailing list archives
RE: WatchHog Released - a web-based snort alert analyser.
From: "Randy Walinga" <randy () watchhog org>
Date: Sat, 10 Apr 2004 02:36:53 -0400
ACID didn't really cut it for us and neither did Demarc, so we started on WatchHog for our own purposes a few years ago. We needed a tool that could watch many snort sensors, it could give us a quick overview of the status, and if an event occurred we could find out exactly who did what and when... and ideally page the on-call guy as the event was happening. So that's what we made. Then we kept adding features as somebody would say (usually me) "Wouldn't it be nice if I got e-mailed a nice graphical summary of the days events, with a trending chart that compared total alerts to the previous 7, 14, or 31 days alerts..." As for queries, you can search for alerts in any combination of sensor, date/time range, Src IP, Dst IP and Signature. We never needed to search based on any other criteria, but if some other queries are useful, I would certainly add them in. That kind of feedback is wonderful. What ACID queries do find you use most? Also the above search criteria doesn't just apply to alert listings, but to Top Signatures or Top IP Addresses and to the Attack Profile. And it's much more intuitive than ACID in my opinion(I'm starting to get warmed up here). For example you may see that one of your sensors has had 30 alerts in the past 15 minutes (under Recent Activity), so then you just click it to get the listing of those alerts. Then if that looks suspicious, just click the alert to get a detailed packet view. It uses jsp, so you can customize the java code if you desire. You can evaluate the product in a commercial environment for 14 days. We have limited it to two sensors, but we can provide a version without that limitation if you need it. Thanks Mark, Randy Walinga. -----Original Message----- From: Mark.Schutzmann () Omron com [mailto:Mark.Schutzmann () Omron com] Sent: April 9, 2004 11:15 PM To: Randy Walinga Cc: snort-users () lists sourceforge net; snort-users-admin () lists sourceforge net Subject: Re: [Snort-users] WatchHog Released - a web-based snort alert analyser. How is this better than Acid? From the screenshots (which are very difficult to see) it appears to have limited query abilities in comparison. What are the limitations for evaluating the product in a commercial environment? Because this appears to be Java-based, it looks like it cannot be customized? Regards, Mark "Randy Walinga" <randy () watchhog org> To: <snort-users () lists sourceforge net> Sent by: cc: snort-users-admin () lists sour Subject: [Snort-users] WatchHog Released - a web-based snort alert analyser. ceforge.net 04/09/2004 11:34 AM WatchHog is a web-based snort alert analyser/reporting tool that queries an SQL database in real-time. WatchHog is designed for easy monitoring and reporting on multiple snort sensors. It is available free for personal use on not more than two snort sensors. Check it out at : www.watchhog.org Randy Walinga randy () watchhog org ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- WatchHog Released - a web-based snort alert analyser. Randy Walinga (Apr 09)
- Re: WatchHog Released - a web-based snort alert analyser. Paul Schmehl (Apr 10)
- RE: WatchHog Released - a web-based snort alert analyser. Michael Steele (Apr 10)
- RE: WatchHog Released - a web-based snort alert analyser. Randy Walinga (Apr 10)
- <Possible follow-ups>
- Re: WatchHog Released - a web-based snort alert analyser. Mark . Schutzmann (Apr 09)
- RE: WatchHog Released - a web-based snort alert analyser. Randy Walinga (Apr 09)
- Re: WatchHog Released - a web-based snort alert analyser. Paul Schmehl (Apr 10)