[Snort-devel] A question regarding InitializeInterfaces

Dirk Geschke dirk at ...972...
Wed Nov 21 01:03:01 EST 2001


Hi,

> 
> yup, thanks for your feedback the changes just have been committed.
> 

thanks. I guess it was just a minor problem since it only seems 
to affect HP-UX 10.20. But it was also a question of aesthetic...

For me it is a nice feature to use an old PA9000/715 for developing
some tools. (There two nice things with HP-UX: 1. noone wants to
work with these machines so I can use them for developing and 2.
if you get your code run on HP-UX it will work on nearly every 
unix flavour...)

In the moment I work on a couple of perl scripts to use the 
output alert_unixsock. The idea is to gather the alerts and 
trigger events based on the priority of the rules. The events
are analysed similar to the results in /var/log/snort/alert
and were directed to a central server where general alerts 
are collected. The idea in the moment is to have one central
station to collect the alerts and send mail to a list of users.
(And of course to learn more about snort...)

The big advantage is: I have only to maintain the mail generation
on the central and don't need to worry about each sensor (in fact
the sensors need no sendmail at all).

For the moment I have one big problem remaining: If I use several
sensors and all see the same alert how do I avoid to generate for
each alert a seperate email? Similar: For an ongoing attack generating
several alerts in a short time, how do I condense the alerts so I won't 
get a few hundred mails per minute or so?

My first idea is to collect first the alerts based on SourceIP:Port 
and DestinationIP:Port over a period of time and generatet the alert
after this period. Thus I can collect all alerts from all sensors
and put the results in one email. 

Does anyone have a better idea?

Best regards

Dirk
--
+------------------------------------------------------------+
| Dr. Dirk Geschke            | E-mail: geschke at ...802...     |
| Gesellschaft fuer Netzwerk  | Tel.  : +49-(0)-89-991950-31 |
| und Unix Administration mbH | Fax   : +49-(0)-89-991950-99 |
| 85551 Kirchheim / Germany   | Raeter Stra/3e 26            |
+------------------------------------------------------------+






More information about the Snort-devel mailing list