Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Development » which part of source code can i have alarms?

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

which part of source code can i have alarms?


Posted by smartwork on November 30, 2005 23:20:41

hai sir,

I am doing project on snort. My work is to remove these alarms which are false positives using data mining techniques. can u suggest me some readings on it and the part of source code i have to go through to have it done. please help.

Posted by brevizniak on December 03, 2005 10:08:35

data mining suggest you will be working with the results of snort and not modifying snort itself. Can you provide more detail about what you are trying to do.

Posted by smartwork on December 04, 2005 02:39:00

yes u r right. I am doing the things using data mining techniques.

Alarm is a set of attributes and i have to group these alarms based on their similarity.

where snort stores these alarms??

can i have the set of alarms in a log file so that i can work on them or the code associated with the generation of alarms??

Posted by brevizniak on December 04, 2005 04:21:45

There are quite a few ways for alerts to be logged with snort. The easiest to work with in code is either a DB output or the unified output methods. You can also log to a csv file, syslog, individual directories per attacking host...

Probably the best thing for you to do is follow a setup guide and get a complete system up and running. From there you can experiment wit hthe different output methods.

Setup Guides are available at http://www.snort.org/docs/

and specific information on different output methods cab be found in the manual at
http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/node13.html

the code for the output methods can be found in src/output-plugins/ of the tarball available at http://www.snort.org/dl/current/snort-2.4.3.tar.gz

Barnyard can be used to work with unified files. It can be downloaded from http://www.snort.org/dl/barnyard/barnyard-0.2.0.tar.gz


Posted by smartwork on December 04, 2005 07:57:58

Hi brevizniak,

Thanks a lot for ur help . Definitely its a great stuff . Thank u once again.
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.