[Snort-users] Snort problem

Matt Kettler mkettler at ...4108...
Fri Jun 27 13:09:11 EDT 2003


At 05:41 PM 6/26/2003 -0400, mshultz at ...9571... wrote:
>Hello.  I'm not sure if this is a support mailing list but hopefully 
>someone could help me out.
>
>I am relativly new to Snort and it looks very decent for what I need it to 
>do.  I am running snort on a win32 machine.  My problem is that I need 
>snort to send either an email, which doesn't look possible as I am not a 
>programmer, or an SMB message to a selected workstation.  My problem is 
>that SMB doesn't seem to be compiled into the windows binaries and there 
>doesn't seem to be another way to configure it without the 'configure' 
>executable.  Any help would be appreciated.
>
>Mike.

Well, sending an email from within snort is absolutely impossible, even if 
you are a programmer. Snort needs to be very very very fast (ie: 1/1000th 
of a second delay has a HUGE impact on performance). If it goes off and 
generates network connections, launches programs, etc, it will miss a large 
quantity of traffic, creating a very effective way for attackers to sneak 
past your snort sensor by only generating one alert that causes email.

Really, I'd suggest using something like acid for your logging and alerting 
needs if you're restricted to the win32 platform. Emails, smb alerts, etc 
are really best done with an external program so that snort isn't wasting 
time babysitting a network messaging protocol.










More information about the Snort-users mailing list