[Oisf-users] Suricata Logs

[Cooper F. Nelson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are the largest employer in San Diego and this is exactly how our
deployment works!  Alerts average ~500k per day and occasionally go
above a million during busy periods.

If you are doing email alerts, the trick is to monitor the text alerts
and only forward those that match certain keywords to your on-call
handler.  For example, "TROJAN" and "checkin".

You can use a cron job to do this, or a program like logwatch.

- -Coop

On 7/27/2015 1:54 PM, Andreas Moe wrote:
> With regards to Alan Santos reply. With 20 suricata instances, and the
> posibility of massive amounts of events (everything that suricata can
> produce) email is in now way, form or fashion a good choice. Saying that
> this works for you since you are CSIRT is not a valid argument. This
> since CSIRTs can be anything from a 5 man company having one guy who
> thinks he knows how security / suricata / siem / irt works, to a
> coorparation with 500+ thousand employees.


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJVtpxRAAoJEKIFRYQsa8FWJZAIAJRDR7EvBiPBVrgKERxZa3FA
nm457WNVyXhvGfx92nUIX3hrFZp6MSrupcCJ2JCby5P5NMXXxjxLLLbOcpHICqDt
HB1qh8xVEccKbRoAUMqlOLjHC7tb0gEq+GY+QW03ZNr/FdIZH0a0gHPmG/PPcCAM
j2KSYFUj65HNFegnGp3YHyUlfeGEFzhYgzZ8pxYcFPqebvHY5Ce/tTznfwa6b7wu
U1BZBCs4+XZinE7nbRXX/CxRN/v7MTULRDUtybIaBoqwMEz2n3NOI2hnXDMtR99O
f+zWPrCKeY+lr6QuDabYKYf9acCextaf9box+5QILNiZoq6nbBGWaUHD+lKq1aE=
=J2pm
-----END PGP SIGNATURE-----