Re: Snort & email

[James Riden <j.riden () massey ac nz>]

"Dan S Baxter" <Dan.Baxter () ipaper com> writes:

> I'm setting up a Snort sensor in our environment and I am unable to
> determine how I might get emailed on alerts.  I understand some are using
> Swatch, but we are not logging to syslogs but rather to a mysql db.  What
> are others doing in this case?

I'm logging to /var/log/snort/alert and /portscan.log as well as
postgresql. Then I have a couple of perl scripts which do
post-processing, including paging me if necessary. You could easily do
the same with email, depending on how often you want to be
emailed. There are also packages such as 'snort-stat' which can give
you a summary of events, etc.

In this environment, snort generates way too many alerts to email/page
me on each one. Typically I'd only be using paging for attempted-admin
and successful-admin type alerts.

cheers,
 Jamie
-- 
James Riden / j.riden () massey ac nz / Systems Security Engineer
GPG public key available at: http://www.massey.ac.nz/~jriden/
This post does not necessarily represent the views of my employer.


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------