[Snort-users] Re: Sending mail
Michael J. McCasland
mjm at ...7530...
Sun Jan 12 06:50:02 EST 2003
I have seen a variety of questions regarding notification of events. I
thought I would share our strategy.
We currently have a total of 20 sensors in 5 orginizations running with
Snort built --with-snmp, --with-postgresql - running on one or many
linux servers with multiple NICS
Each NIC represents one sensor and has it's own snort.conf file
(allowing for tailored configuration of rules for each segment and
unique sensor identification)
We alert centrally to a Postgres DB server
We alert via snmp to our NMS server (OpenNMS)
Use ACID for Data Analysis, and IDS policy manager for rule management
The NMS server recieves the SNMP traps and performs mail, pager, and
internal event notifications based on the reciept of the trap and it's
own escalation/notification rules.
We are currently building an security response/ticketing system to help
manage the events and thier corresponding responses that organizations
This config seems to work well for us. Thought I would share.
More information about the Snort-users