[Snort-users] Unified2 questions

waldo kitty wkitty42 at ...14940...
Wed Apr 27 14:13:11 EDT 2011


On 4/27/2011 10:22, Lay, James wrote:
> My process for handling snort alerts is:
>
> See the alert in the logs
> Do a whois on the remote IP
> tshark –X the current snort.pcap file matching the remote IP to see the raw
> packet caught

+100

i see that you are a believer in the KISS principle, too :)

> How does unified2 output fit into this type of response? Thanks for any help all.

that's something i dance with, too... especially since my targeted market is a 
SOHO firewall product... we want alerts and possibly active blocking of those 
causing the alerts... all the rest of the fluff'n'stuff is much much too much 
and over the top... i can see that for possibly some monstrous corporate entity 
but way over here in the shallower end of the pool we don't have room for all 
that nor do those running in our sphere want to be burdened with all of that...

yeah, i can just see a single mother of three setting up the firewall package, a 
database server and some diagnostic workstation along with the one or two other 
machines, game consoles and smartphones they may have on their SOHO network... 
riiiiiight...




More information about the Snort-users mailing list