Alerting with Distributed Snort
To deploy real-time monitoring capability in a three-tier Snort setup you use a different method than with the hybrid. It would be a waste of time and resources to install a mailing application (such as sendmail) and swatch on each sensor. But making a single change to swatch and sendmail configurations across multiple sensors is bound to create confusion and possibly mistakes. To solve this problem, you can make use of syslog-ng and Stunnel to forward alerts securely from the sensors to the Snort server. You could optionally install another server to handle the alert collection and mailing functionality, in which case you would forward alerts to this new server.
Syslog-ng is a replacement for the syslog logging ...
Get Intrusion Detection with Snort now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
