[Snort-users] How do you deal with large 'alert' files?

Sheahan, Paul (PCLN-NW) Paul.Sheahan at ...2218...
Thu Sep 26 15:45:02 EDT 2002

What I do is use the "split" utility to break the alert file up into, say,
70 mb pieces, then run the a report against each. Yes it's an ugly manual
process, but it doesn't happen to me that much where there alert files get
that huge. The threshold option sounds great! Can't wait to try it.

By the way, not sure if you've ever tried snort_stat.pl, but it BLOWS away
Snortsnarf when it comes to thorough, friendly reports.

-----Original Message-----
From: Martin Roesch [mailto:roesch at ...1935...]
Sent: Thursday, September 26, 2002 3:09 PM
To: Vieth, Scott; 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] How do you deal with large 'alert' files?

On 9/26/02 11:38 AM, "Vieth, Scott" <svieth at ...6966...> wrote:

> Hi:
> We've had some problems with Denial of Service attacks lately.  The
> running the attack are on our inside network and they're attacking sites
> the Internet.  The Snort signature "DDOS shaft synflood" triggers like mad
> when the DOS is running.  This makes my alert file get very large, very
> quickly.  I'm happy that Snort sees the traffic and SnortSnarf generates a
> cool html report to show us which system on our network is doing the
> attacking.  But sometimes the alert file gets so big (I roll my alert file
> every day at midnight) that SnortSnarf can't process it.
> How do Snort users deal with this?

If you switch to 1.9 (which should be out tomorrow or so) you can use the
threshold code and add a threshold so that you're only notified every 100
events or so.

Thresholds work  like this:

threshold: <count>,<time>,<hash>

<count> = number of events
<time> = number of seconds
<hash> = data to hash on, valid values of <hash> are "event", "ip" and

"port" hashes using the sid, source IP, dest IP and dest port.
"Ip" hashes using the sid, source IP and dest IP.
"Event" hashes using the sid and source IP.

What this means practically is that specifying "event" will gather all
events with that sid and source IP into the threshold tracker, "ip" gathers
all events with the same sid, src IP and dst IP, and "port" gathers all
events with the same sid, src IP, dst IP and dest port.

Add this to the rule and I think it'll do what you want.

threshold: 100, 10, event;

> If I routed the output of Snort into a database and then used ACID to run
> reports, would that solve this problem?
> Thanks in advance for any help,
> -Scott Vieth
> p.s. We've already patched the systems that were hacked so any
> ne'er-do-wells who read the Snort list and think that they should start
> probing our address range will be wasting their time.  :^)


Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list