[Snort-devel] mailing feature

Mario Ohnewald mario.ohnewald at ...578...
Thu Jul 31 08:41:15 EDT 2003

i didn?t think if that.


>-----Original Message-----
>From: snort-devel-admin at lists.sourceforge.net
>[mailto:snort-devel-admin at lists.sourceforge.net]On Behalf Of Erek Adams
>Sent: Thursday, July 31, 2003 3:38 PM
>To: Mario Ohnewald
>Cc: snort-devel at lists.sourceforge.net
>Subject: Re: [Snort-devel] mailing feature
>On Thu, 31 Jul 2003, Mario Ohnewald wrote:
>> Found it!!
>You're really making a mistake by doing that.
>Instead log to syslog or /var/log/alert and have something like Swatch
>handle the checking and sending of emails.  If you don't you're really
>going to create a problem.  Each time you make a call to system, you're
>running the risk of Snort blocking.  From the man page "...returns after
>the command has been completed."  If you have 4 packets that come in at
>roughly the same time, and all 4 packets generate an alert, you'll end up
>with something like this:  Alert1 is generated, system call, creation of
>a new process, execution of the new process, destruction of process,
>control now returns to Snort where Alert2 is about to be generated.  The
>cycle repeats...  Consider the fact that if you are waiting on a system
>call to return, you're not going to be able to sniff packets.
>By all means do what's best for you and your environment.  Just be
>forewarned that you could really hurt yourself by doing it that way.
>Erek Adams
>   "When things get weird, the weird turn pro."   H.S. Thompson
>This SF.Net email sponsored by: Free pre-built ASP.NET sites including
>Data Reports, E-commerce, Portals, and Forums are available now.
>Download today and enter to win an XBOX or Visual Studio .NET.
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net

More information about the Snort-devel mailing list