Re: snort local.rules help

[Skip Carter <skip () taygeta com>]

> yeah, I did that too with logcheck, and now it nightly emails me 5 mb lists
> of deny rules...
>
> it used to be ok when there was only a thousand lines or so, but this is
> ridiculous...

> Frank


> I use logcheck to email my firewall DENY's and snort alerts to several
> other boxes on my network


   I used to do that until the logs got to be too big to manage and assimilate.

   Now I parse the information out of the DENY entries and feed them into
   a database (I am using Postgres because it has native data types for
   IP addrs and related).   Now its easy to see what activity is going
   on, and ask questions like "was anything unusual happening on 10 Sept".
   (I even caught somebody doing a slow 3-day scan of my /24 network
   because of the use of a database).



-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    UUCP:     ...!uunet!taygeta!skip
 Monterey, CA. 93940            WWW: http://www.taygeta.com/skip.html












_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users