Alerting with Distributed Snort

To deploy real-time monitoring capability in a three-tier Snort setup you use a different method than with the hybrid. It would be a waste of time and resources to install a mailing application (such as sendmail) and swatch on each sensor. But making a single change to swatch and sendmail configurations across multiple sensors is bound to create confusion and possibly mistakes. To solve this problem, you can make use of syslog-ng and Stunnel to forward alerts securely from the sensors to the Snort server. You could optionally install another server to handle the alert collection and mailing functionality, in which case you would forward alerts to this new server.

Syslog-ng is a replacement for the syslog logging ...

Get Intrusion Detection with Snort now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.