Re: Snort & email

• Previous message: Joel Esler: "Re: Snort & email"
• In reply to: Dan S Baxter: "Snort & email"
• Next in thread: Jose Maria Lopez Hernandez: "Re: Snort & email"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Dan S Baxter" <Dan.Baxter@ipaper.com>
Date: 08 May 2005 10:46:25 +1200

"Dan S Baxter" <Dan.Baxter@ipaper.com> writes:

> I'm setting up a Snort sensor in our environment and I am unable to
> determine how I might get emailed on alerts. I understand some are using
> Swatch, but we are not logging to syslogs but rather to a mysql db. What
> are others doing in this case?

I'm logging to /var/log/snort/alert and /portscan.log as well as
postgresql. Then I have a couple of perl scripts which do
post-processing, including paging me if necessary. You could easily do
the same with email, depending on how often you want to be
emailed. There are also packages such as 'snort-stat' which can give
you a summary of events, etc.

In this environment, snort generates way too many alerts to email/page
me on each one. Typically I'd only be using paging for attempted-admin
and successful-admin type alerts.

cheers,
 Jamie

-- 
James Riden / j.riden@massey.ac.nz / Systems Security Engineer
GPG public key available at: http://www.massey.ac.nz/~jriden/
This post does not necessarily represent the views of my employer.
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

• Previous message: Joel Esler: "Re: Snort & email"
• In reply to: Dan S Baxter: "Snort & email"
• Next in thread: Jose Maria Lopez Hernandez: "Re: Snort & email"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]