Prioritization of Alerts
Before getting into the details of deploying real-time alerting capability for Snort, you must decide which alerts are critical enough for you to be notified of. Snort is versatile in the prioritization of alerts; you can select individual rule categories for which you want to be notified. You can also select individual rules to be notified of as well. A priority specified in a rule overrides any specified in the rule's category.
The alerting application, be it syslog-ng or swatch, monitors the log for a specific string. When this string is found, it executes the mailing application and sends an email with data from the actual alert. The string for which you should set these applications to search is the priority level ...
Get Intrusion Detection with Snort now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.