[Snort-users] Snort auotmatic email alert.

Erik Fichtner emf at ...367...
Fri Aug 6 18:13:27 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Aug 06, 2004 at 07:50:23PM -0500, Harper, Patrick wrote:
> Don't those all use syslog?  

Yes.  MySQL/ACID does not scale.  (sure, it's kinda neat if you
want to browse around in a limited data set, but MySQL limitations
keep you from having real historical datasets.  You'll go to pcap files
eventually.)

And mining through the snortdb schema inside MySQL for event text in 
order to send email alerts is kinda like bringing a hatchet to an ice cream social.

Besides, if you use SEC to do this, you can spend all your time writing state engine
rules so that you can use the state engine to do work for you, instead of digging 
around in a browser all day trying to figure out which false alarm you're looking at
this time..    

But if you like that sort of thing, don't let me stop you.   

- -- 
Erik Fichtner
Principal Engineer, Information Security, ServerVault Corp.
703-652-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQFBFCyDQ7EzrewLMS0RAmnBAKDDhTMH0WJ4gQMyHhTE8Qpk+CASmgCeINUf
tNltxLiabAVy6yTW1lfadsM=
=1xsT
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list