[Snort-users] WatchHog Released - a web-based snort alert analyser.

Randy Walinga randy at ...11621...
Fri Apr 9 23:38:02 EDT 2004

ACID didn't really cut it for us and neither did Demarc, so we started on
WatchHog for our own purposes a few years ago.  We needed a tool that could
watch many snort sensors, it could give us a quick overview of the status,
and if an event occurred we could find out exactly who did what and when...
and ideally page the on-call guy as the event was happening.  So that's what
we made.  Then we kept adding features as somebody would say (usually me)
"Wouldn't it be nice if I got e-mailed a nice graphical summary of the days
events, with a trending chart that compared total alerts to the previous 7,
14, or 31 days alerts..."

As for queries, you can search for alerts in any combination of sensor,
date/time range, Src IP, Dst IP and Signature.  We never needed to search
based on any other criteria, but if some other queries are useful, I would
certainly add them in.  That kind of feedback is wonderful.  What ACID
queries do find you use most?

Also the above search criteria doesn't just apply to alert listings, but to
Top Signatures or Top IP Addresses and to the Attack Profile.  And it's much
more intuitive than ACID in my opinion(I'm starting to get warmed up here).
For example you may see that one of your sensors has had 30 alerts in the
past 15 minutes (under Recent Activity), so then you just click it to get
the listing of those alerts.  Then if that looks suspicious, just click the
alert to get a detailed packet view.

It uses jsp, so you can customize the java code if you desire.

You can evaluate the product in a commercial environment for 14 days.  We
have limited it to two sensors, but we can provide a version without that
limitation if you need it.

Thanks Mark,
Randy Walinga.

-----Original Message-----
From: Mark.Schutzmann at ...10438... [mailto:Mark.Schutzmann at ...10438...]
Sent: April 9, 2004 11:15 PM
To: Randy Walinga
Cc: snort-users at lists.sourceforge.net;
snort-users-admin at lists.sourceforge.net
Subject: Re: [Snort-users] WatchHog Released - a web-based snort alert

How is this better than Acid? From the screenshots (which are very
difficult to see) it appears to have limited query abilities in comparison.
What are the limitations for evaluating the product in a commercial
environment? Because this appears to be Java-based, it looks like it cannot
be customized?


                      "Randy Walinga"
                      <randy at ...11621...>                To:
<snort-users at lists.sourceforge.net>
                      Sent by:                            cc:
                      snort-users-admin at ...4626...        Subject:
[Snort-users] WatchHog Released - a web-based snort alert analyser.

                      04/09/2004 11:34 AM

WatchHog is a web-based snort alert analyser/reporting tool that queries an
SQL database in real-time.

WatchHog is designed for easy monitoring and reporting on multiple snort

It is available free for personal use on not more than two snort sensors.

Check it out at :

Randy Walinga
randy at ...11621...

This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list