[Snort-users] Quick poll: favorite snort config?

Shane Hickey shane at ...5522...
Tue Jan 14 15:52:05 EST 2003


On Thu, 2003-01-09 at 14:13, Benjamin Feen wrote:
> Anyone want
> to share a quick summary of how their system's configured? 

Personally, I use snort sending output to syslog and a MySQL server.  I
use swatch to watch syslog and e-mail me Priority: 1 alerts and Snort
failing or restarting messages.  I use Acid to wade through all my
alerts each day.  I mail the worse offenders to myself and have a
procmail script parse all of the acid summaries out and put them into
one file.  Then I use the freeware script incident.pl to send incident
reports to the appropriate (at least most of the time) contacts.

It works pretty good for me, but there might be a better way.  I'd like
to start running snort-inline (because the FreeBSD box that runs snort
at my home is also my firewall).  It seems like good documentation on
snort-inline is just starting to pop up, but I haven't read far enough
into it to decide if snort-inline is dependent on iptables.

Shane







More information about the Snort-users mailing list