[Snort-users] basic snort questions

polypterus polypterus at ...3827...
Tue Oct 16 02:45:14 EDT 2001

I recommend you to use "snortsnarf" or "ACID".
They need much memory but work well.

See here;

On Mon, 15 Oct 2001 17:31:54 -0500
"snortlst snortlst" <snortlst at ...125...> wrote:

> 1. I run snort in NDIS mode using default log settings (everything is logged
> to /var/snort/log directory)
> In this directory I see directories corresponding to ip addresses, arp file
> and alert file.
> Q: Is alert file a consolidated storage of alerts received from all
> workstations? (or should I go to each workstation directory to see what
> alerts are logged here?)
> 2. Is there any good viewer for alerts logged into /var/log/snort? Some
> web-based interface that can show in real-time which alerts are logged?


More information about the Snort-users mailing list