[Snort-devel] Outputting info about a rule that fires

Joe McAlerney joey at ...63...
Fri Feb 23 18:54:07 EST 2001


"Hammerle, Tye F." wrote:
> 
> Having snort push that extra output seems like too much overhead that would
> detract from the basic purpose and performance. Maybe that sort of thing is
> best left to another piece of software like snortsnarf. Perhaps instead of
> adding this to snort you wrote a utility that scans the alert file and
> produces a summary file with the info you listed below. Though it seems that
> snortsnarf already does that. Maybe snortsnarf could be modified to output
> this format too or it could read the file produced by the utility. Then
> snort wouldn't need fattening.
> 
> Tye

Snort will have to be able to handle reference, priority, and other
information internally anyway.  This is done in the form of plugins, and
for the reference information, has already been put to use with the
IDMEF xml plugin.  Not only do I want to be able to view my alerts based
on priority, I want them to be able to be processed based on priority. 
This is something that an output plugin can do, and would not be able to
do if all the work is done on the back end.

I expect what Jim proposed would be an option that could be used, and
not necessarily the default output.  I'm sure someone will correct me if
I'm wrong, but I think the majority of the overhead comes from fprintf
calls.  With Jim's proposal, you would at MOST have one entry in the
"additional information" file for each rule - not very significant when
compared to the heaps of ICMP destination unreachable found in
everyone's alert file.

my 2 cents,

-Joe M.

printf("[**]HAPPY BIRTHDAY JIM!!![**]\n");

-- 
+--                            --+
| Joe McAlerney, Silicon Defense |
| http://www.silicondefense.com/ |
+--                            --+




More information about the Snort-devel mailing list