[Snort-users] Snort problem
mkettler at ...4108...
Fri Jun 27 13:09:11 EDT 2003
At 05:41 PM 6/26/2003 -0400, mshultz at ...9571... wrote:
>Hello. I'm not sure if this is a support mailing list but hopefully
>someone could help me out.
>I am relativly new to Snort and it looks very decent for what I need it to
>do. I am running snort on a win32 machine. My problem is that I need
>snort to send either an email, which doesn't look possible as I am not a
>programmer, or an SMB message to a selected workstation. My problem is
>that SMB doesn't seem to be compiled into the windows binaries and there
>doesn't seem to be another way to configure it without the 'configure'
>executable. Any help would be appreciated.
Well, sending an email from within snort is absolutely impossible, even if
you are a programmer. Snort needs to be very very very fast (ie: 1/1000th
of a second delay has a HUGE impact on performance). If it goes off and
generates network connections, launches programs, etc, it will miss a large
quantity of traffic, creating a very effective way for attackers to sneak
past your snort sensor by only generating one alert that causes email.
Really, I'd suggest using something like acid for your logging and alerting
needs if you're restricted to the win32 platform. Emails, smb alerts, etc
are really best done with an external program so that snort isn't wasting
time babysitting a network messaging protocol.
More information about the Snort-users