[Snort-users] snort local.rules help

Skip Carter skip at ...1552...
Thu Oct 4 14:54:01 EDT 2001


> yeah, I did that too with logcheck, and now it nightly emails me 5 mb lists
> of deny rules...
> 
> it used to be ok when there was only a thousand lines or so, but this is
> ridiculous...
> 

> Frank


> I use logcheck to email my firewall DENY's and snort alerts to several
> other boxes on my network


   I used to do that until the logs got to be too big to manage and assimilate.

   Now I parse the information out of the DENY entries and feed them into
   a database (I am using Postgres because it has native data types for
   IP addrs and related).   Now its easy to see what activity is going
   on, and ask questions like "was anything unusual happening on 10 Sept".
   (I even caught somebody doing a slow 3-day scan of my /24 network
   because of the use of a database).



-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip at ...1552...
 1340 Munras Ave., Suite 314    UUCP:     ...!uunet!taygeta!skip
 Monterey, CA. 93940            WWW: http://www.taygeta.com/skip.html















More information about the Snort-users mailing list