[Snort-users] How do you deal with large 'alert' files?

Vieth, Scott svieth at ...6966...
Thu Sep 26 08:41:02 EDT 2002


Hi:

We've had some problems with Denial of Service attacks lately.  The machines
running the attack are on our inside network and they're attacking sites on
the Internet.  The Snort signature "DDOS shaft synflood" triggers like mad
when the DOS is running.  This makes my alert file get very large, very
quickly.  I'm happy that Snort sees the traffic and SnortSnarf generates a
cool html report to show us which system on our network is doing the
attacking.  But sometimes the alert file gets so big (I roll my alert file
every day at midnight) that SnortSnarf can't process it.

How do Snort users deal with this?

If I routed the output of Snort into a database and then used ACID to run
reports, would that solve this problem?

Thanks in advance for any help,

-Scott Vieth

p.s. We've already patched the systems that were hacked so any
ne'er-do-wells who read the Snort list and think that they should start
probing our address range will be wasting their time.  :^)




More information about the Snort-users mailing list