Re: Snort auotmatic email alert.

[Erik Fichtner <emf () servervault com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Aug 06, 2004 at 07:50:23PM -0500, Harper, Patrick wrote:
> Don't those all use syslog?  

Yes.  MySQL/ACID does not scale.  (sure, it's kinda neat if you
want to browse around in a limited data set, but MySQL limitations
keep you from having real historical datasets.  You'll go to pcap files
eventually.)

And mining through the snortdb schema inside MySQL for event text in 
order to send email alerts is kinda like bringing a hatchet to an ice cream social.

Besides, if you use SEC to do this, you can spend all your time writing state engine
rules so that you can use the state engine to do work for you, instead of digging 
around in a browser all day trying to figure out which false alarm you're looking at
this time..    

But if you like that sort of thing, don't let me stop you.   

- -- 
Erik Fichtner
Principal Engineer, Information Security, ServerVault Corp.
703-652-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQFBFCyDQ7EzrewLMS0RAmnBAKDDhTMH0WJ4gQMyHhTE8Qpk+CASmgCeINUf
tNltxLiabAVy6yTW1lfadsM=
=1xsT
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users