[Snort-users] Trying to figure something if the following makes sense or stupid
WayneTurnquist at ...12076...
Fri Mar 3 12:36:02 EST 2006
I'm located in one hospital of many hospitals in the organization which
corp has firewall for our internet connection where there is a router
here that links us up.
I have the Ethernet port of this router in a hub where I have a second
router also connected to this hub. On this second router, the other
Ethernet is connected to a cat4006 which I span the traffic to another
hub (lets call it hub2). It is here that I have my snort and other tools
running. Snort logs to a server that has base and snare installed and
to the windows event manager where snare sends email alerts on certain
types of alerts from snort. At this point I have snort fine tune with
very little false positives.
On router two, I'm using cisco acl's to control what can come in and
what can go out through this router. I have the router configured where
it logs all denies to a kiwislog server. Most of the time the logging
is quite on the incoming side of the router but there has beend a few
cases it has been hit. Case in point, one of the Symantec servers in
corp decided it wanted to scan our network. I noticed this one night
when I needed to tweak the acl's when I did a show log.
Would it be possible and any pointers, where I could have the kiwi
syslog send alerts to base so these events could possible be correlated
to snort alerts and be investiaged/searchable in the same system.
More information about the Snort-users