[Snort-users] Snort alerts

Martin Roesch roesch at ...421...
Mon Mar 26 20:30:51 EST 2001


Hi Siddhartha,
     Try logging in binary mode and then post-processin the logged bin
files to extract the data logs you're interested in.  Something like
this at the command line:

./snort -c snort.conf -l ../log -b -A fast -D

This will log the full packets that set off alerts into a single file
and give you more condensed/critical information in the alert file.  You
should also tune your rule set and turn off any rules that you're not
interested in (most ICMP traffic, services you're not running, etc).

    -Marty

Siddhartha Jain wrote:
> 
> Hi,
> 
> I run snort this way :-
> ./snort -D -de -C -i hme1 -l ../log -c ../conf/snort.conf
> 
> This produces alerts by truck-loads but i think i need to capture packets so
> i can see the content. Is there a way to configure alerts so that snort
> writes a single alert for attack signature from a particular IP to a
> particular IP? That would mean that if x.x.x.x sends 2000 packets to y.y.y.y
> containing an attack signature, snort would write only a single line in some
> file for the first packet containing the signature and the rest of them will
> be ignored or logged somewhere else. This way i can read the shorter file
> and generate paging messages from it. Right now, with the number of alerts
> generated it seems impossible to do send pages or mails to do (almost)
> realtime alerting.
> 
> Siddhartha
> 
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list