Snort mailing list archives

Re: snort+mysql+acid

From: Dustin Decker <dustind () moon-lite com>
Date: Tue, 4 Feb 2003 20:38:03 -0600 (CST)

On Tue, 4 Feb 2003, Alan McCarty wrote:

I'd like to know if anyone has come up with a simple solution to 
centralized instant notification of alerts, other than logwatchers, 
etc.


[snip]

I imagine this has been considered, but is there a good reason why it 
hasn't been implemented in any way?  It seems like an elegant add-on to 
what is so far a very solid IDS solution.


One of the primary reasons might very well be the push vs. pull issue.  
Unless you have your signatures absolutely perfected, push based alerts 
such as you are describing here have an active life cycle of a couple of 
weeks.  After that period of time, folks start to ignore them, 
particularly if a large percentage are turning out to be false positives.

I've found that pull based solutions are more fruitful - although I 
conceed that it's good to be notified of the _really serious_ alerts ASAP.

Just my $.02
Dustin

-- 
*-----------------------------------*
| Dustin Decker                     |
| dustind () moon-lite com       *-----------------------------------------*
| http://www.dustindecker.com | He who knows nothing, knows nothing.    |
| Moon-Lite Computing         | But he who knows he knows nothing knows |
| 913.579.7117                | something. And he who knows someone     |
*-----------------------------| whose friend's wife's brother knows     |
                              | nothing, he knows something.  Or some   |
                              | thing like that.                        |
                              *-----------------------------------------*



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort+mysql+acid Alan McCarty (Feb 04)
- Re: snort+mysql+acid Dustin Decker (Feb 04)
- <Possible follow-ups>
- RE: snort+mysql+acid Scott, Joshua (Feb 04)
  - MySql and Snort Cilin (Feb 05)
    - Re: MySql and Snort Anne Carasik (Feb 05)
    - Re: MySql and Snort Cilin (Feb 07)