[Snort-users] Snort XML Output
joey at ...47...
Tue Jun 5 13:22:05 EDT 2001
"Jason M. Frey" wrote:
> Trying to determine the best management methods for
> logs and alerts. Can anyone offer some advice on the
> following methods/tools?
> XML Output?
Very customizable. You can take advantage of a number of XML enabled
tools out there. Alerts can be transported over a secure connection.
There is more information in the README.xml file.
Real time viewing of events. PHP front end to a database. Alert
management. Detailed searching options. Graphing of alert groups (one
of my favorites). Support for multiple Snort sensors. Quick links to a
breakdown by protocol, alert, address, time. See the following link for
more information: http://www.cert.org/kb/acid/
Parses Snort alert files into HTML pages. Multiple sorting options.
Displays the original rule that triggered the alert. This is helpful in
determining whether or not an alert is a false positive. Annotations
support. SPADE anomaly detection section. Incident storage and
> logs - tcpdump vs. full
tcpdump - Greatly reduces the chance of packets being dropped. Can be
re-read into Snort and output again in another format (XML, Database,
Full alert, etc.).
full - The files are instantly produced in a format that is parseable by
SnortSnarf, or other log file parsers. This format is often nice to
archive using tar with compression.
My 2 cents,
| Joe McAlerney joey at ...155... |
| Silicon Defense - Technical Support for Snort |
| http://www.silicondefense.com/ |
More information about the Snort-users