[Snort-users] snort local.rules help
skip at ...1552...
Thu Oct 4 14:54:01 EDT 2001
> yeah, I did that too with logcheck, and now it nightly emails me 5 mb lists
> of deny rules...
> it used to be ok when there was only a thousand lines or so, but this is
> I use logcheck to email my firewall DENY's and snort alerts to several
> other boxes on my network
I used to do that until the logs got to be too big to manage and assimilate.
Now I parse the information out of the DENY entries and feed them into
a database (I am using Postgres because it has native data types for
IP addrs and related). Now its easy to see what activity is going
on, and ask questions like "was anything unusual happening on 10 Sept".
(I even caught somebody doing a slow 3-day scan of my /24 network
because of the use of a database).
Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647
Taygeta Scientific Inc. INTERNET: skip at ...1552...
1340 Munras Ave., Suite 314 UUCP: ...!uunet!taygeta!skip
Monterey, CA. 93940 WWW: http://www.taygeta.com/skip.html
More information about the Snort-users