[Snort-users] Snort reporting and alerting

Dragos Ruiu dr at ...381...
Mon May 28 21:12:36 EDT 2001


On Sun, 27 May 2001, Sid wrote:
> Hi,
> 
> I believe any IDS implementation is not very effective unless you have a
> real time reporting/alerting mechanism and also for filtering out the less
> important alerts from the real threatening ones. So, i would like to know
> how do people using Snort are doing this. I am trying to put some perl code
> together for the same and would like suggestions on what kind of reports and
> in what format would be useful.

Snort -> syslog and swatch is a nice combination if you absolutely must
have that latest portscan address delivered to you right now..

As far as real-time alerting.... it's cool if you can afford to have someone
watching those logs 24x7 but that is a luxury very few have.  Most people
are happy if they even have a knowledgeable analyst sampling the
alert logs periodically if even at all.

BTW when-ever i hear the term real-time, I'm always reminded how
easy to misuse that is... I think you mean low-latency alerting, because
a daily e-mail summary of alerts is still "real-time" reporting.

cheers,
--dr





More information about the Snort-users mailing list