[Snort-users] Future features???

counter.spy at ...348... counter.spy at ...348...
Sun May 12 02:33:01 EDT 2002


Paul, I am not sure about this, but I think from the name they gave this
tool
(analysis console for intrusion databases) it's rather for forensic analysis
than 
for alerting purposes.
I doubt that realtime alerts will be added to this tool (but who knows...).

However, ACID is not very far from being a realtime alerting tool, anyway,
because the
page refreshes every few seconds and shows you if there are new alerts in
the
alert cache. 

Okay, maybe this is not exactly what you are looking for, but I've 
found that the realtime alerting tool of an another IDS that I have tested,
which was 
really designed to be a realtime alerting tool, is not that useful as it
could be, 
i.e. during periods of high activity the event-tree is refreshing all the
time so 
you are not able any more to select and drill down properly -  the events
"slip away"
under the mouse cursor. 
In the realtime windows the events are floating by with such speed,
that spying out a certain event and clicking on it is rather difficult.
Would you like to stare at such a window all day long?

Thus I am prefering ACID over this tool _that_shall_not_be_named_ ;-)

But I agree that we probably have all need for a really good realtime
alerting tool
as an addition to ACID.
 
A hint for all developers or potentional developers of such tools, free or
commercial (hi Marty, wink, wink, aren't you working on such a tool for your
commercial snort appliances? ;-) ):
It would be great if you would include a feature that allows to "freeze" the
realtime 
output in order to be able to view or select certain events even during high
activity 
periods (whithout stopping collection of events in the background).
Aggregation of events of the same kind under one single event would be
useful, too. 
Instead of letting all events float over the screen you should only
increment a 
counter, e.g. for portscans, and then show a table or matrix of events which
maps events
to src and dst addresses and ports. 

Just my 0.0001 cents.

Paul.Fiero at ...5820... writes:

>I was curious to know if anyone had heard anything about potential for real
>time alerts being available in future versions of ACID.  I am in dire need
>of the facility and would love to see this feature added.


Greetings, 
Detmar

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-users mailing list