[Snort-devel] mailing feature

Mario Ohnewald mario.ohnewald at ...578...
Thu Jul 31 08:41:15 EDT 2003


i didn?t think if that.
thanks!

;D

>-----Original Message-----
>From: snort-devel-admin at lists.sourceforge.net
>[mailto:snort-devel-admin at lists.sourceforge.net]On Behalf Of Erek Adams
>Sent: Thursday, July 31, 2003 3:38 PM
>To: Mario Ohnewald
>Cc: snort-devel at lists.sourceforge.net
>Subject: Re: [Snort-devel] mailing feature
>
>
>On Thu, 31 Jul 2003, Mario Ohnewald wrote:
>
>> Found it!!
>
>You're really making a mistake by doing that.
>
>Instead log to syslog or /var/log/alert and have something like Swatch
>handle the checking and sending of emails.  If you don't you're really
>going to create a problem.  Each time you make a call to system, you're
>running the risk of Snort blocking.  From the man page "...returns after
>the command has been completed."  If you have 4 packets that come in at
>roughly the same time, and all 4 packets generate an alert, you'll end up
>with something like this:  Alert1 is generated, system call, creation of
>a new process, execution of the new process, destruction of process,
>control now returns to Snort where Alert2 is about to be generated.  The
>cycle repeats...  Consider the fact that if you are waiting on a system
>call to return, you're not going to be able to sniff packets.
>
>By all means do what's best for you and your environment.  Just be
>forewarned that you could really hurt yourself by doing it that way.
>
>Cheers!
>
>-----
>Erek Adams
>
>   "When things get weird, the weird turn pro."   H.S. Thompson
>
>
>-------------------------------------------------------
>This SF.Net email sponsored by: Free pre-built ASP.NET sites including
>Data Reports, E-commerce, Portals, and Forums are available now.
>Download today and enter to win an XBOX or Visual Studio .NET.
>http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
>_______________________________________________
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>







More information about the Snort-devel mailing list