[Snort-users] New IDS best practise

Joel Esler jesler at ...1935...
Thu Nov 17 20:10:16 EST 2011


As a reminder, unified2 does output the URL associated with an event in its logs. 

Sent from my iPhone

On Nov 17, 2011, at 4:11 PM, Martin Holste <mcholste at ...11827...> wrote:

> All good advice.  One other thing to consider: once you get your IDS
> up and running, you're going to need pcap data so you can see what
> your alerts were.  At the very least, you're going to need URL logs.
> For pcap, you can go the simple route with daemonlogger, more
> complicated with sancp, or for a more web-oriented approach, you can
> go with my StreamDB.googlecode.com project which integrates with
> Snorby.  There's also OpenFPC with Snorby integration, but I wrote
> StreamDB because it is faster and I rarely need non-web data.
> 
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure 
> contains a definitive record of customers, application performance, 
> security threats, fraudulent activity, and more. Splunk takes this 
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list