[Snort-users] Quick poll: favorite snort config?
shane at ...5522...
Tue Jan 14 15:52:05 EST 2003
On Thu, 2003-01-09 at 14:13, Benjamin Feen wrote:
> Anyone want
> to share a quick summary of how their system's configured?
Personally, I use snort sending output to syslog and a MySQL server. I
use swatch to watch syslog and e-mail me Priority: 1 alerts and Snort
failing or restarting messages. I use Acid to wade through all my
alerts each day. I mail the worse offenders to myself and have a
procmail script parse all of the acid summaries out and put them into
one file. Then I use the freeware script incident.pl to send incident
reports to the appropriate (at least most of the time) contacts.
It works pretty good for me, but there might be a better way. I'd like
to start running snort-inline (because the FreeBSD box that runs snort
at my home is also my firewall). It seems like good documentation on
snort-inline is just starting to pop up, but I haven't read far enough
into it to decide if snort-inline is dependent on iptables.
More information about the Snort-users