Snort mailing list archives
Re: snort local.rules help
From: Skip Carter <skip () taygeta com>
Date: Thu, 04 Oct 2001 14:53:10 -0700
yeah, I did that too with logcheck, and now it nightly emails me 5 mb lists of deny rules... it used to be ok when there was only a thousand lines or so, but this is ridiculous...
Frank
I use logcheck to email my firewall DENY's and snort alerts to several other boxes on my network
I used to do that until the logs got to be too big to manage and assimilate. Now I parse the information out of the DENY entries and feed them into a database (I am using Postgres because it has native data types for IP addrs and related). Now its easy to see what activity is going on, and ask questions like "was anything unusual happening on 10 Sept". (I even caught somebody doing a slow 3-day scan of my /24 network because of the use of a database). -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skip () taygeta com 1340 Munras Ave., Suite 314 UUCP: ...!uunet!taygeta!skip Monterey, CA. 93940 WWW: http://www.taygeta.com/skip.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort local.rules help Brent (Oct 01)
- Re: snort local.rules help John Sage (Oct 01)
- rpc.statd niko (Oct 01)
- Re: snort local.rules help Brent (Oct 02)
- Re: snort local.rules help Brent (Oct 02)
- Re: snort local.rules help John Sage (Oct 04)
- RE: snort local.rules help Franki (Oct 04)
- Re: snort local.rules help Skip Carter (Oct 04)
- Re: snort local.rules help John Sage (Oct 01)