NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2000-03

Subject: Re: [snort] Back home....
From: Martin Roesch (roeschhiverworld.com)
Date: Tue Mar 07 2000 - 00:14:22 CST

Next message: Martin Roesch: "[snort] output plugins"
Previous message: Yen-Ming Chen: "[snort] Re: [anno] php snort statistics web page script"
In reply to: Mullen, Patrick: "RE: [snort] Back home...."
Next in thread: Stuart Staniford-Chen: "[snort] Rapidnet sig error?"
Next in thread: Mullen, Patrick: "RE: [snort] Back home...."
Reply: Martin Roesch: "Re: [snort] Back home...."
Reply: Stuart Staniford-Chen: "[snort] Rapidnet sig error?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Alert occurred so start logging". The other method would require
complexities that I'm not prepared to think about at 1:15AM. A
read-ahead/read-back buffer concept is something that may be doable, but
I think the performance hit that the system would take as a result would
be pretty severe.

Plus, how many packets do you keep in a "window"?

"Mullen, Patrick" wrote:
>
> > I've got some fun new stuff to talk about once I get caught
> > up, such as
> > output plugins and dynamic packet collection....
>
> Does this include a feature to log all connections but
> if no alert is generated the log is wiped, or just
> "alert occurred so start logging"?
>
> My favorite, from way back, is I alert on SMTP relaying
> rejected messages, which of course doesn't tell you what
> or who the relay was for.
>
> ~Patrick

-- 
Martin Roesch                      <roeschhiverworld.com>
Director of Forensic Systems     http://www.hiverworld.com
Hiverworld, Inc.               Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Assessment

Next message: Martin Roesch: "[snort] output plugins"
Previous message: Yen-Ming Chen: "[snort] Re: [anno] php snort statistics web page script"
In reply to: Mullen, Patrick: "RE: [snort] Back home...."
Next in thread: Stuart Staniford-Chen: "[snort] Rapidnet sig error?"
Next in thread: Mullen, Patrick: "RE: [snort] Back home...."
Reply: Martin Roesch: "Re: [snort] Back home...."
Reply: Stuart Staniford-Chen: "[snort] Rapidnet sig error?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]