Snort mailing list archives
Trying to figure something if the following makes sense or stupid
From: "Turnquist,Wayne" <WayneTurnquist () catholichealth net>
Date: Fri, 3 Mar 2006 14:34:14 -0600
I'm located in one hospital of many hospitals in the organization which corp has firewall for our internet connection where there is a router here that links us up. I have the Ethernet port of this router in a hub where I have a second router also connected to this hub. On this second router, the other Ethernet is connected to a cat4006 which I span the traffic to another hub (lets call it hub2). It is here that I have my snort and other tools running. Snort logs to a server that has base and snare installed and to the windows event manager where snare sends email alerts on certain types of alerts from snort. At this point I have snort fine tune with very little false positives. On router two, I'm using cisco acl's to control what can come in and what can go out through this router. I have the router configured where it logs all denies to a kiwislog server. Most of the time the logging is quite on the incoming side of the router but there has beend a few cases it has been hit. Case in point, one of the Symantec servers in corp decided it wanted to scan our network. I noticed this one night when I needed to tweak the acl's when I did a show log. Would it be possible and any pointers, where I could have the kiwi syslog send alerts to base so these events could possible be correlated to snort alerts and be investiaged/searchable in the same system. Just wondering wt ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Trying to figure something if the following makes sense or stupid Turnquist,Wayne (Mar 03)