c nerd blog
Installing Snort 2.9.3.1 on OpenBSD 5.2

Swatch

image: dirt

Having abandoned barnyard2, I’m trying a simpler route: swatch. Snort can output to syslog; swatch can monitor syslog for a particular item and send out an alert when it’s found. This forces me to set up an outbound mail server, too. Given the problems with the OS X Mail Server under Mountain Lion (it just doesn’t work), I’ve set up smtpd under OpenBSD. I would set up sendmail, but I don’t properly understand it.

Swatch will require me to tune my snort alerts carefully, of course. But at least, finally, I get to see what snort says—once I know snort, tune it, so I can start to use it properly.