[Snort-devel] mailing feature
mario.ohnewald at ...578...
Thu Jul 31 08:41:15 EDT 2003
i didn?t think if that.
>From: snort-devel-admin at lists.sourceforge.net
>[mailto:snort-devel-admin at lists.sourceforge.net]On Behalf Of Erek Adams
>Sent: Thursday, July 31, 2003 3:38 PM
>To: Mario Ohnewald
>Cc: snort-devel at lists.sourceforge.net
>Subject: Re: [Snort-devel] mailing feature
>On Thu, 31 Jul 2003, Mario Ohnewald wrote:
>> Found it!!
>You're really making a mistake by doing that.
>Instead log to syslog or /var/log/alert and have something like Swatch
>handle the checking and sending of emails. If you don't you're really
>going to create a problem. Each time you make a call to system, you're
>running the risk of Snort blocking. From the man page "...returns after
>the command has been completed." If you have 4 packets that come in at
>roughly the same time, and all 4 packets generate an alert, you'll end up
>with something like this: Alert1 is generated, system call, creation of
>a new process, execution of the new process, destruction of process,
>control now returns to Snort where Alert2 is about to be generated. The
>cycle repeats... Consider the fact that if you are waiting on a system
>call to return, you're not going to be able to sniff packets.
>By all means do what's best for you and your environment. Just be
>forewarned that you could really hurt yourself by doing it that way.
> "When things get weird, the weird turn pro." H.S. Thompson
>This SF.Net email sponsored by: Free pre-built ASP.NET sites including
>Data Reports, E-commerce, Portals, and Forums are available now.
>Download today and enter to win an XBOX or Visual Studio .NET.
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
More information about the Snort-devel