[Snort-users] only the "important stuff"

Steven Crandell steven.crandell at ...11827...
Tue Oct 26 09:36:01 EDT 2004


Hi all,

I have snort running the way I want it to run, etc.  I'm also using
logcheck to watch the logs and email me when someone exceeds my
thresholds.  Anyway, I'm pretty satisfied with how all of that is
working.

This morning the president of the co. has asked that he -not- receive
the day to day alerts and would only like to receive alerts on
"successful" intrusions.

Are there certain rules that would never be triggered unless someone
actually gets into a monitored system?  Or anything along those lines?

I know this is a little off the wall, but any help/suggestions would
be greatly appreciated.

regards,
-- 
Steven Crandell
steven.crandell at ...11827...




More information about the Snort-users mailing list