[Snort-users] Fwd: [barnyard2-users] Can get barnyard2 to read from Snort log but won't write to alert file

waldo kitty wkitty42 at ...14940...
Mon Jul 22 22:28:29 EDT 2013


On 7/22/2013 21:22, mulhern wrote:
> Well, that all makes sense. This tool that you mention below is in-house, I take
> it? (I'm presuming that otherwise you'ld have mentioned it by name).

in-house? yeah, one might say that... it is actually a branch off of an old tool 
that was used by many years ago... i have no clue if anyone has taken it upon 
themselves to port it to other environs under GPL... i definitely have not 
received any updates or code changes since i took over the project in our 
environment several years ago ;)

> - mulhern
>
>
> On Mon, Jul 22, 2013 at 5:54 PM, waldo kitty <wkitty42 at ...14940...
> <mailto:wkitty42 at ...14940...>> wrote:
>
>     On 7/22/2013 17:28, mulhern wrote:
>      >
>      >     plus, i do not run barnyard ;) O:)
>      >
>      > Oh, how do you use Snort then? I was getting the impression that the accepted
>      > way was to plunk Snort output to unified for speed and then have barnyard
>     decode
>      > what it's got.
>
>     what do you mean? snort runs on its own... nothing else is needed... all the
>     other tools are for correlating the alerts with the traffic and other activities
>     on the network so that blocks can be initiated or dropped, infestations can be
>     detected and possibly blocked while letting the infested machine's owner know
>     about the infestation and other similar tasks...
>
>     in my case, i use an auto-response tool that reacts to snorts alerts... that
>     tool initiates and manages automatic blocking of IPs causing alerts to be raised
>     by snort... my users are taught that if they cannot get to some site or there is
>     a problem downloading files, they are to ask the security team to check and see
>     if the site was blocked... at that point, it is up to the security team and
>     management to decide if the block is proper or should be dismissed... depending
>     on the situation, the user may even receive a reprimand for trying to go to a
>     site that is not allowed by network policy...
>
>     aside from all of that, we use the raw pcaps and the information from the snort
>     alert... we don't really need anything else at this time... no fancy graphs, no
>     fancy charts and no reports... management doesn't have time for all that
>     muckity-muck and we're not going to give it to them anyway O:)
>
>     -BOfH-



-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list