[Snort-users] Re: Project PigRoast and logging...

Gregor Binder gbinder at ...462...
Thu Oct 12 14:11:10 EDT 2000

Jason Haar on Thu, Oct 12, 2000 at 11:40:17AM +1300:


> Ah yes - but even these aren't "real" real-time alerts - you're tail'ing
> syslog right? 

Let's put it that way, they are real-time enough for me, since the
time that it takes me to respond to an event is significantly longer
anyway. On the other hand, I can make syslog-ng to do a lot more 
things than just writing to a file, as for example triggering a
script that blocks the offending address in almost real real-time :)

I know that this is might not be the final answer to every attack,
but it's nice to be able to do such things.

> As such, turn on logging in Mysql and do the same thing there...

Besides from the above, I like the fact that I do all kinds of
event logging in a central place. It is easier to integrate with
system/network monitoring, and I can correlate traditional syslog
information with intrusion data. Deploying sensors inside and
outside of gateways, there is also some reliable and easy way to 
see if an attack made it through the firewall.


Gregor Binder  <gbinder at ...462...>  http://www.sysfive.com/~gbinder/
sysfive.com GmbH             UNIX. Networking. Security. Applications.
Gaertnerstrasse 125b, 20253 Hamburg, Germany       TEL +49-40-63647482

More information about the Snort-users mailing list