[Snort-sigs] snort + ossec

lists at ...3397... lists at ...3397...
Wed Feb 17 09:05:34 EST 2016

On 02/17/16 05:41, ARUN LAL wrote:
> We are planning to add snort rules to ossec for monitoring. How to configure
> snort sid in local_rules.xml. We need most critical snort id for monitor. Please
> provide us with the most important or most critical snort ids. 

1) Read the OSSEC documentation, it's very well written, and self-explanatory.
Using a syslog daemon, such as syslog-ng, that is capable of steering messages
from various hosts to a centralized location would provide OSSEC the ability to
monitor multiple Snort instances from a central daemon.

2) The most valuable rules will depend on the existing security controls at your
organization, your demographic, your exposure level, and your network
infrastructure.  This is something you'll need to determine as it suits your
organizational needs.


More information about the Snort-sigs mailing list