6.5 Using Snort More Effectively

It doesn't take long before only logging to the alert file becomes ineffective. The alerts scroll by too quickly and making sense of the data logged in a timely manner can be impossible. In Chapter 5, we looked at how to configure Snort to log to a database. The information sent to the database contains an incredible amount of information including details about the packet that triggered the alert. Refer to Appendix A for details on the data contained in the database. Choose a database and configure Snort to send alerts to it.

Once the data is in the database, you need to choose some tools that can present the data in a way that makes managing the alerts and the sensors quick and easy. I prefer to use ACID (the Analysis Console for Intrusion Detection). You may find that another tool suits you better. Refer to Chapter 10, Chapter 11, and Chapter 12 for an examination of the tools that are available to help you manage your Snort-based NIDS deployment. Chapter 7 discusses strategies to keep your signatures up-to-date and effective.