i have SNORT running on LEM 6.3.1 and it appears to be working as expected.... now what. do i need to setup all of the alerts manually? how does it know to alert me? are there a set of best practice rules/alerts?
i have SNORT running on LEM 6.3.1 and it appears to be working as expected.... now what. do i need to setup all of the alerts manually? how does it know to alert me? are there a set of best practice rules/alerts?
"Now what?" is always the tricky question and largely depends on what you had in mind when you set up the LEM/Snort.
For your other questions:
There are no Snort template rules in Build -> Rules so you would need to create rules manually.
LEM alerts you based on rules, so once a rule is configured (email action or otherwise) it will take actions based on the correlations.
There are no Snort rules or best practices really, you can find additional information here:
SNORT - configuration and troubleshooting - SolarWinds Worldwide, LLC. Help and Support
Configure Snort for LEM - SolarWinds Worldwide, LLC. Help and Support
The key will be that events should be coming in (assuming correctly configured) via the Snort IDS ToolAlias and you can search for that in nDepth in the web console.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.