[Snort-users] snort and ACID

Jason Haar Jason.Haar at ...294...
Tue Jan 30 17:24:10 EST 2001


What about logcheck and/or swatch?

Here we're planning to do a similar thing (rolling out snort, with local
MySQL DB, and replicating to a central MySQL database), and what I'm doing
is using syslog as well as MySQL logging. Swatch monitors the syslogs and
reports accordingly (i.e. sends Email) when certain events occur.

The big advantage with swatch/syslog is that you can alert on things other
than snort - root login failures via ssh should still be reported - but
snort ain't very good at picking them up ;-)

What I'm doing here is sending Email alerts for "important" things to an
address that "works out" whether it's work hours or not - and sends to a
pager when it isn't...

-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417




More information about the Snort-users mailing list