[Snort-users] Pig Sentry program

brandon at ...3618... brandon at ...3618...
Wed Sep 26 15:54:01 EDT 2001

I just knocked off a program this morning, something other people may
be interested in.  Most other utilities I have seen are for
after-the-fact reporting, but not for real-time alerts.  In addition,
on a sizeable site you do not want to pipe your real-time alerts into
a notification system because you'd be flooded within seconds.  Enter
Pig Sentry... 

Pig Sentry is for real-time alerts, without getting spammed. It is
intended for a high volume of alerts (on the site it was implemented
for, we see 200,000 to 300,000 alerts a day).

The way Pig Sentry works is it maintains a state table of recent
alerts. It will send a notice if there is a new alert, or if there is
an increase in the general trend or pattern of existing alerts. The
trend notification is fairly configurable. It also expires alerts
after there has been no activity with them, for a while.

Pig Sentry also checkpoints its state information to a file
periodically and when it exits, and this same state store file is
loaded when it starts up, so it can easilly be rolled into a lot
rotation mechanism. The store file is not horribly readable, but is
somewhat useful to peek at if you are interested to know the current
profile of alerts on your site.

It is written in perl, works against snort 1.8.1-release alerts with
full output.  Full information:


More information about the Snort-users mailing list