Snort mailing list archives

RE: WatchHog Released - a web-based snort alert analyser.

From: "Randy Walinga" <randy () watchhog org>
Date: Sat, 10 Apr 2004 02:36:53 -0400

ACID didn't really cut it for us and neither did Demarc, so we started on
WatchHog for our own purposes a few years ago.  We needed a tool that could
watch many snort sensors, it could give us a quick overview of the status,
and if an event occurred we could find out exactly who did what and when...
and ideally page the on-call guy as the event was happening.  So that's what
we made.  Then we kept adding features as somebody would say (usually me)
"Wouldn't it be nice if I got e-mailed a nice graphical summary of the days
events, with a trending chart that compared total alerts to the previous 7,
14, or 31 days alerts..."

As for queries, you can search for alerts in any combination of sensor,
date/time range, Src IP, Dst IP and Signature.  We never needed to search
based on any other criteria, but if some other queries are useful, I would
certainly add them in.  That kind of feedback is wonderful.  What ACID
queries do find you use most?

Also the above search criteria doesn't just apply to alert listings, but to
Top Signatures or Top IP Addresses and to the Attack Profile.  And it's much
more intuitive than ACID in my opinion(I'm starting to get warmed up here).
For example you may see that one of your sensors has had 30 alerts in the
past 15 minutes (under Recent Activity), so then you just click it to get
the listing of those alerts.  Then if that looks suspicious, just click the
alert to get a detailed packet view.

It uses jsp, so you can customize the java code if you desire.

You can evaluate the product in a commercial environment for 14 days.  We
have limited it to two sensors, but we can provide a version without that
limitation if you need it.

Thanks Mark,
Randy Walinga.


-----Original Message-----
From: Mark.Schutzmann () Omron com [mailto:Mark.Schutzmann () Omron com]
Sent: April 9, 2004 11:15 PM
To: Randy Walinga
Cc: snort-users () lists sourceforge net;
snort-users-admin () lists sourceforge net
Subject: Re: [Snort-users] WatchHog Released - a web-based snort alert
analyser.



How is this better than Acid? From the screenshots (which are very
difficult to see) it appears to have limited query abilities in comparison.
What are the limitations for evaluating the product in a commercial
environment? Because this appears to be Java-based, it looks like it cannot
be customized?

Regards,
Mark



                      "Randy Walinga"
                      <randy () watchhog org>                To:
<snort-users () lists sourceforge net>
                      Sent by:                            cc:
                      snort-users-admin () lists sour        Subject:
[Snort-users] WatchHog Released - a web-based snort alert analyser.
                      ceforge.net


                      04/09/2004 11:34 AM






WatchHog is a web-based snort alert analyser/reporting tool that queries an
SQL database in real-time.

WatchHog is designed for easy monitoring and reporting on multiple snort
sensors.

It is available free for personal use on not more than two snort sensors.

Check it out at :
www.watchhog.org

Randy Walinga
randy () watchhog org



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

WatchHog Released - a web-based snort alert analyser. Randy Walinga (Apr 09)
- Re: WatchHog Released - a web-based snort alert analyser. Paul Schmehl (Apr 10)
  - RE: WatchHog Released - a web-based snort alert analyser. Michael Steele (Apr 10)
  - RE: WatchHog Released - a web-based snort alert analyser. Randy Walinga (Apr 10)
- <Possible follow-ups>
- Re: WatchHog Released - a web-based snort alert analyser. Mark . Schutzmann (Apr 09)
  - RE: WatchHog Released - a web-based snort alert analyser. Randy Walinga (Apr 09)