IDS mailing list archives
Re: Snort & email
From: James Riden <j.riden () massey ac nz>
Date: 08 May 2005 10:46:25 +1200
"Dan S Baxter" <Dan.Baxter () ipaper com> writes:
I'm setting up a Snort sensor in our environment and I am unable to determine how I might get emailed on alerts. I understand some are using Swatch, but we are not logging to syslogs but rather to a mysql db. What are others doing in this case?
I'm logging to /var/log/snort/alert and /portscan.log as well as postgresql. Then I have a couple of perl scripts which do post-processing, including paging me if necessary. You could easily do the same with email, depending on how often you want to be emailed. There are also packages such as 'snort-stat' which can give you a summary of events, etc. In this environment, snort generates way too many alerts to email/page me on each one. Typically I'd only be using paging for attempted-admin and successful-admin type alerts. cheers, Jamie -- James Riden / j.riden () massey ac nz / Systems Security Engineer GPG public key available at: http://www.massey.ac.nz/~jriden/ This post does not necessarily represent the views of my employer. -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Snort & email Dan S Baxter (May 06)
- Re: Snort & email Frank Knobbe (May 09)
- Re: Snort & email Joel Esler (May 09)
- Re: Snort & email James Riden (May 09)
- Re: Snort & email Jose Maria Lopez Hernandez (May 09)
- Re: Snort & email Bartosz Krajnik (May 11)
- <Possible follow-ups>
- RE: Snort & email Omar Herrera (May 09)
- Re: Snort & email ctooker (May 16)