[Snort-users] New IDS best practise
mcholste at ...11827...
Thu Nov 17 16:11:51 EST 2011
All good advice. One other thing to consider: once you get your IDS
up and running, you're going to need pcap data so you can see what
your alerts were. At the very least, you're going to need URL logs.
For pcap, you can go the simple route with daemonlogger, more
complicated with sancp, or for a more web-oriented approach, you can
go with my StreamDB.googlecode.com project which integrates with
Snorby. There's also OpenFPC with Snorby integration, but I wrote
StreamDB because it is faster and I rarely need non-web data.
More information about the Snort-users