[Snort-users] How do you deal with large 'alert' files?

Martin Roesch roesch at ...1935...
Thu Sep 26 12:09:22 EDT 2002


On 9/26/02 11:38 AM, "Vieth, Scott" <svieth at ...6966...> wrote:

> Hi:
> 
> We've had some problems with Denial of Service attacks lately.  The machines
> running the attack are on our inside network and they're attacking sites on
> the Internet.  The Snort signature "DDOS shaft synflood" triggers like mad
> when the DOS is running.  This makes my alert file get very large, very
> quickly.  I'm happy that Snort sees the traffic and SnortSnarf generates a
> cool html report to show us which system on our network is doing the
> attacking.  But sometimes the alert file gets so big (I roll my alert file
> every day at midnight) that SnortSnarf can't process it.
> 
> How do Snort users deal with this?

If you switch to 1.9 (which should be out tomorrow or so) you can use the
threshold code and add a threshold so that you're only notified every 100
events or so.

Thresholds work  like this:

threshold: <count>,<time>,<hash>

<count> = number of events
<time> = number of seconds
<hash> = data to hash on, valid values of <hash> are "event", "ip" and
"port"

"port" hashes using the sid, source IP, dest IP and dest port.
"Ip" hashes using the sid, source IP and dest IP.
"Event" hashes using the sid and source IP.

What this means practically is that specifying "event" will gather all
events with that sid and source IP into the threshold tracker, "ip" gathers
all events with the same sid, src IP and dst IP, and "port" gathers all
events with the same sid, src IP, dst IP and dest port.

Add this to the rule and I think it'll do what you want.

threshold: 100, 10, event;

> If I routed the output of Snort into a database and then used ACID to run
> reports, would that solve this problem?
> 
> Thanks in advance for any help,
> 
> -Scott Vieth
> 
> p.s. We've already patched the systems that were hacked so any
> ne'er-do-wells who read the Snort list and think that they should start
> probing our address range will be wasting their time.  :^)

     -Marty

-- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list