[Snort-devel] mailing feature

Erek Adams erek at ...835...
Thu Jul 31 06:39:04 EDT 2003


On Thu, 31 Jul 2003, Mario Ohnewald wrote:

> Found it!!

You're really making a mistake by doing that.

Instead log to syslog or /var/log/alert and have something like Swatch
handle the checking and sending of emails.  If you don't you're really
going to create a problem.  Each time you make a call to system, you're
running the risk of Snort blocking.  From the man page "...returns after
the command has been completed."  If you have 4 packets that come in at
roughly the same time, and all 4 packets generate an alert, you'll end up
with something like this:  Alert1 is generated, system call, creation of
a new process, execution of the new process, destruction of process,
control now returns to Snort where Alert2 is about to be generated.  The
cycle repeats...  Consider the fact that if you are waiting on a system
call to return, you're not going to be able to sniff packets.

By all means do what's best for you and your environment.  Just be
forewarned that you could really hurt yourself by doing it that way.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-devel mailing list