[Snort-users] Re: Sending mail

Michael J. McCasland mjm at ...7530...
Sun Jan 12 06:50:02 EST 2003


I have seen a variety of questions regarding notification of events. I 
thought I would share our strategy.

We currently have a total of 20 sensors in 5 orginizations running with 
this config:
Snort built --with-snmp, --with-postgresql - running on one or many 
linux servers with multiple NICS
Each NIC represents one sensor and has it's own snort.conf file 
(allowing for tailored configuration of rules for each segment and 
unique sensor identification)
We alert centrally to a Postgres DB server
We alert via snmp to our NMS server (OpenNMS)
Use ACID for Data Analysis, and IDS policy manager for rule management
The NMS server recieves the SNMP traps and performs mail, pager, and 
internal event notifications based on the reciept of the trap and it's 
own escalation/notification rules.
We are currently building an security response/ticketing system to help 
manage the events and thier corresponding responses that organizations 
policies require.

This config seems to work well for us. Thought I would share.

-mike mccasland






More information about the Snort-users mailing list