[Snort-users] Snort Snarf

James Hoagland hoagland at ...47...
Thu Feb 21 17:27:08 EST 2002

At 2:52 PM -0800 2/21/02, Scott Taylor wrote:
>If that's true....then it could be hours before
>you know you've been hacked on?

SnortSnarf is not currently designed for real-time monitoring.  (With 
some amount of work it could be made so.)

If you are concerned about immediate notification of attacks, you 
might set up logwatch or similar to send you e-mail or page you about 
some high priority event.  Then use SnortSnarf every day or every 
couple hours or whatever to look over all your alerts.

It all depends on what your needs are.  For example, are you going to 
have someone looking at the alerts 24/7?

In the interest of fairness, I will also mention ACID and PureSecure, 
which are designed for real-time monitoring.

>  Or if you rotate the files will
>you loose info? Does snortsnarf when run just
>add the info to the already existing files in
>the html area or does it replace them
>completely, so everything not in the log's at
>the time it's run will not be shown on the
>updated page?

Each run of SnortSnarf is independent.  The destination directory is 
not inspected until the output phase at which point it is cleared.

Best regards,


|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...47..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

More information about the Snort-users mailing list