[Snort-users] SMB alerts

Jason Haar Jason.Haar at ...294...
Fri Aug 13 16:03:09 EDT 2004


On Fri, Aug 13, 2004 at 02:14:04PM -0700, Scott Elgram wrote:
> would you or anyone happen to know why it was removed?

..because it's a really bad idea?

Seriously, it is. Why SMB and yet no SMTP? What about Jabber support?

The list is endless.

So instead, Snort focuses on generalized output formats like syslog and
SQL, and out-of-band tools (such as swatch for syslog) monitor those outputs
to trigger alerts.

To make snort faster, it pays to do less - not more.

I realise this means *you* (us) need to do more work in order to have the
solution you want (i.e. the Windows alerts is now your problem instead of
Snorts), but it's better to have the separation.

Maybe more contrib/ example scripts are needed to get people through this
issue - they do show up a lot.

I have a swatch+alerting-script I'm very happy with - but can't release it
as I'm too embarrassed :-)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-users mailing list