[Snort-users] SnortSnarf v072700.1

James Hoagland hoagland at ...47...
Thu Jul 27 14:42:44 EDT 2000


I have made a few easy changes to SnortSnarf and have packaged up a 
new release, so...

Silicon Defense is pleased to announce the release of version 
072700.1 of SnortSnarf, our tool to assist browsing through Snort 
alerts, investigating them, and following up on them.  Here are the 
changes since the last version:

+ added capacity for annotations about networks and pages about IP address
have a link to view/add annotations for their /16 and /24 networks
+ when an alert set is created in SISR, annotations noting this are
automatically added with the source IPs and source networks in the set
   + this is an aid in checking for earlier activity from the same host or
   + new module to do this included in distr. and added to sisr_modlist
   + new config file parameter (ann-db-loc) documented in README.SISR
+ clearing the output directory now uses Perl routines rather than system
commands and only clears files that look like it created in an earlier run;
this allows people to keep, e.g., .htaccess, files in the directory
+ random access to annotations now available from a form at the bottom of
the main page
+ bug fix: spp_portscan lines now filtered from syslog input files

You can pick up the distribution and read more at:


BTW, Kevin's link problems are caused by his version of Snort using 
lower case for protocol names (rather that all upper case which the 
latest code seems to enforce).  I assume that when he updates from 
version to the latest version that that will be solved.


|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...47...                *|
|*  Voice: (707) 445-4355 x13          Fax: (707) 826-7571  *|

More information about the Snort-users mailing list