[Snort-users] Alerting concept...

peter.grosse-hering at ...9150... peter.grosse-hering at ...9150...
Thu Dec 11 02:25:03 EST 2003


currently we´re using 2 type of rules, the "alert" rules and the "log" rules
and ignore rule priority completely. We log on alerts to syslog and use
swatch to send out notifications. For statistical purpose, we log both kind
of events to a mysql database.

Is this a usual concept to distinguish between "alert" and "log" rules
instead of priority or is it recommended to base notification on the rules
priority? What are the advantages/disadvantages?


More information about the Snort-users mailing list