How do you deal with large 'alert' files?

["Vieth, Scott" <svieth () mail mcw edu>]

Hi:

We've had some problems with Denial of Service attacks lately.  The machines
running the attack are on our inside network and they're attacking sites on
the Internet.  The Snort signature "DDOS shaft synflood" triggers like mad
when the DOS is running.  This makes my alert file get very large, very
quickly.  I'm happy that Snort sees the traffic and SnortSnarf generates a
cool html report to show us which system on our network is doing the
attacking.  But sometimes the alert file gets so big (I roll my alert file
every day at midnight) that SnortSnarf can't process it.

How do Snort users deal with this?

If I routed the output of Snort into a database and then used ACID to run
reports, would that solve this problem?

Thanks in advance for any help,

-Scott Vieth

p.s. We've already patched the systems that were hacked so any
ne'er-do-wells who read the Snort list and think that they should start
probing our address range will be wasting their time.  :^)


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users