[Snort-users] Snort Snarf
hoagland at ...47...
Thu Feb 21 17:27:08 EST 2002
At 2:52 PM -0800 2/21/02, Scott Taylor wrote:
>If that's true....then it could be hours before
>you know you've been hacked on?
SnortSnarf is not currently designed for real-time monitoring. (With
some amount of work it could be made so.)
If you are concerned about immediate notification of attacks, you
might set up logwatch or similar to send you e-mail or page you about
some high priority event. Then use SnortSnarf every day or every
couple hours or whatever to look over all your alerts.
It all depends on what your needs are. For example, are you going to
have someone looking at the alerts 24/7?
In the interest of fairness, I will also mention ACID and PureSecure,
which are designed for real-time monitoring.
> Or if you rotate the files will
>you loose info? Does snortsnarf when run just
>add the info to the already existing files in
>the html area or does it replace them
>completely, so everything not in the log's at
>the time it's run will not be shown on the
Each run of SnortSnarf is independent. The destination directory is
not inspected until the output phase at which point it is cleared.
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* --- Silicon Defense: IDS Solutions --- *|
|* hoagland at ...47..., http://www.silicondefense.com/ *|
|* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
More information about the Snort-users