[Snort-users] File locking in 1.7

Brent Erickson erickson at ...239...
Sat Mar 3 15:13:27 EST 2001

Hello all,

We run two Snort 1.7 systems on NT in our DMZ with possible fall back to
version 1.6.3. One system is configured from the command line to run alerts
to the event viewer and no logging except port scans. A third party program
e-mails the alerts in real time which we check, respond to if necessary, and
keep up with around the clock at work or at home. The second system which
runs an almost identical rule set does alert logging and as Mike Davis said,
we copy the alert and individual host file logs to another system's desk top
for analysis if we need more info concerning an alert.

The second system also functions as a Snort backup and is further used to
test new rules without placing the main Snort alert system at risk.

Both Snort systems are totally isolated from all incoming IP that could be
addressed to them no matter what flags are set by an outer firewall and an
inner firewall egress filter insures only two addresses can access them from
our internal network.

This setup works very well for real time IDS and believe it or not, Snort
runs very reliably on NT. No NT crashes since last July when we began using
Snort in our DMZ. Previously we used Snort on two Linux systems in our
server farms and still do.

Mike did an exceptional job with the original Windows port and the
subsequent  rewrite of Snort 1.7.

And Marty and the entire Snort community provide such a responsive and
excellent level of support that commercial companys can only dream about.

Brent Erickson

----- Original Message -----
From: "Michael Davis" <mike at ...92...>
To: "Burleson, Lee (IA)" <Lee.Burleson at ...1358...>; "Snort-Users
(E-mail)" <snort-users at lists.sourceforge.net>
Sent: Saturday, March 03, 2001 6:23 PM
Subject: Re: [Snort-users] File locking in 1.7

> Hash: SHA1
> > Am I missing something with the event log functionality?  I didn't
> > see it as a viable method for large logs.
> I like the event logging because there are many other utilities to
> analyze the event log and generate alert reponses(i.e send you a page
> or an email etc).
> You can also you the remote syslog facility and log things to a
> remote syslog server.
> > > The file locking is a Windows problem not a snort problem.
> > How is that, when 1.6.3 did not lock the logs?  Not saying you're
> > wrong, just wondering about the technical details.  :)
> 1.6.3 opened and closed the alert file every time an alert was
> generated. This is a waste of resources and time. In 1.7 the alert
> file is opened once and a file descriptor is passed around. Less time
> and resources are wasted. Win32 locks files from being read if they
> are in use by another program. The only way to combat this is by
> copying the file and then reading it.
> Hope that helps ;)
> Michael Davis
> Chief Technical Officer
> Data Nerds, LLC.
> http://www.datanerds.net
> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
> iQA/AwUBOqGnM/iUqZ9dnoKsEQIQMACg5APO5kBqsbRR8KfoKLyJ4QxhM0oAnRKp
> kRu1YE23IiqkvD77VWsiMBtd
> =IXJz
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

More information about the Snort-users mailing list