Re: Snort reporting and alerting

[Dragos Ruiu <dr () kyx net>]

On Sun, 27 May 2001, Sid wrote:
> Hi,
>
> I believe any IDS implementation is not very effective unless you have a
> real time reporting/alerting mechanism and also for filtering out the less
> important alerts from the real threatening ones. So, i would like to know
> how do people using Snort are doing this. I am trying to put some perl code
> together for the same and would like suggestions on what kind of reports and
> in what format would be useful.

Snort -> syslog and swatch is a nice combination if you absolutely must
have that latest portscan address delivered to you right now..

As far as real-time alerting.... it's cool if you can afford to have someone
watching those logs 24x7 but that is a luxury very few have.  Most people
are happy if they even have a knowledgeable analyst sampling the
alert logs periodically if even at all.

BTW when-ever i hear the term real-time, I'm always reminded how
easy to misuse that is... I think you mean low-latency alerting, because
a daily e-mail summary of alerts is still "real-time" reporting.

cheers,
--dr


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users