An engineer wants to review the packet overviews of SNORT alerts.
When printing the SNORT alerts, all the packet headers are included, and the file is too large to utilize.
Which action is needed to correct this problem?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/249/original/snort_manual.pdf?X-Amz-Algorithm=AWS4-HMAC-SNORT is a popular open-source network intrusion detection system that uses signature-based detection to identify and alert on potential attacks. When SNORT detects a potential attack, it generates an alert that includes information about the suspicious activity, such as the type of attack and the source and destination IP addresses.
In this scenario, the engineer wants to review the packet overviews of SNORT alerts, but when printing the alerts, all the packet headers are included, making the file too large to utilize. Packet headers contain a lot of information about the packet, including source and destination IP addresses, protocol type, and packet length. Including all packet headers in SNORT alerts can make the alerts file size quite large.
To correct this problem, the engineer needs to modify the output of the SNORT alerts. There are two possible options to achieve this:
Option A: Modify the alert rule to output alert_syslog: output log. The alert_syslog output module writes the alert information to a syslog server. By using this output option, the engineer can configure the syslog server to only log the necessary alert information, excluding packet headers. This will reduce the size of the alerts file, making it easier to review.
Option B: Modify the output module rule to output alert_quick: output filename. The alert_quick output module generates a short summary of each alert, including the type of attack and the source and destination IP addresses. This summary is written to a file, making it easier to review. By using this output option, the engineer can quickly identify suspicious activity without having to sift through packet headers.
Option C and D are incorrect as they both include the packet header information. The alert_syslog: output header option in option C outputs the alert information along with the packet header information, which would not solve the problem of large file sizes. The alert_fast: output filename option in option D generates a summary of each alert, but it includes packet header information, which would not be useful for the engineer.
In conclusion, the best option to correct the problem of large SNORT alert files is to modify the alert rule to output alert_syslog: output log or modify the output module rule to output alert_quick: output filename.