[Snort-users] snort and ACID

Steve Hutchins Steve.Hutchins at ...277...
Tue Jan 30 18:08:06 EST 2001


Yes, what I would ideally like to be able to do,
is to have all the snort sensors just log to syslog,
across the net to an ACID console. Then run a script
on the console looking for syslog alerts and then updating
the database. But the data logged to syslog is 'slim'
compared with what the db plugin provides.

Steve

-----Original Message-----
From: Jason Haar [mailto:Jason.Haar at ...294...]
Sent: Wednesday, 31 January 2001 11:24 
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] snort and ACID


What about logcheck and/or swatch?

Here we're planning to do a similar thing (rolling out snort, with local
MySQL DB, and replicating to a central MySQL database), and what I'm doing
is using syslog as well as MySQL logging. Swatch monitors the syslogs and
reports accordingly (i.e. sends Email) when certain events occur.

The big advantage with swatch/syslog is that you can alert on things other
than snort - root login failures via ssh should still be reported - but
snort ain't very good at picking them up ;-)

What I'm doing here is sending Email alerts for "important" things to an
address that "works out" whether it's work hours or not - and sends to a
pager when it isn't...

-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users




More information about the Snort-users mailing list