[Snort-users] Snort XML Output

Joe McAlerney joey at ...47...
Tue Jun 5 13:22:05 EDT 2001


Hello Jason,

"Jason M. Frey" wrote:
> 
> Trying to determine the best management methods for
> logs and alerts.  Can anyone offer some advice on the
> following methods/tools?
> 
> XML Output?

Very customizable.  You can take advantage of a number of XML enabled
tools out there.  Alerts can be transported over a secure connection. 
There is more information in the README.xml file.

> ACID?

Real time viewing of events.  PHP front end to a database.  Alert
management.  Detailed searching options.  Graphing of alert groups (one
of my favorites).  Support for multiple Snort sensors.  Quick links to a
breakdown by protocol, alert, address, time.  See the following link for
more information:  http://www.cert.org/kb/acid/

> SnortSnarf?

Parses Snort alert files into HTML pages.  Multiple sorting options. 
Displays the original rule that triggered the alert.  This is helpful in
determining whether or not an alert is a false positive.  Annotations
support.  SPADE anomaly detection section.  Incident storage and
response.

> logs - tcpdump vs. full

tcpdump - Greatly reduces the chance of packets being dropped.  Can be
re-read into Snort and output again in another format (XML, Database,
Full alert, etc.).

full - The files are instantly produced in a format that is parseable by
SnortSnarf, or other log file parsers.  This format is often nice to
archive using tar with compression.

My 2 cents,

-Joe M.

-- 
|   Joe McAlerney     joey at ...155...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+




More information about the Snort-users mailing list