Snort mailing list archives
RE: Snort reporting and alerting
From: "Jason Lewis" <jlewis () jasonlewis net>
Date: Tue, 29 May 2001 01:22:28 -0400
Did anyone read the Sysadmin magazine about using ACID, SnortSnarf and Snort2BigBrother alert management? I need to go pick it up. Does it help reach the goal Siddhartha is looking for? Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Sid Sent: Tuesday, May 29, 2001 1:12 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort reporting and alerting The idea is real-time response i.e. within seconds of the attack happening, the ability to react. One option is integrate the IDS with some kind of firewall and allow dynamic reconfiguration of the firewall thru' the IDS but this option could do more harm than good. Another is sending TCP_Resets, but that would work only for TCP based exploits and not DoS or DDoS or UDP stuff. I was thinking more on the lines of getting paged as soon as i get hit. The problem is there are far too many false positives and the number of alerts per day is too many. I need some kind of solution where if there is some persistent suspicious/threatening activity i get paged (if nothing else then atleast to impress the managment ;) ) Siddhartha ----- Original Message ----- From: "Dragos Ruiu" <dr () kyx net> To: "Sid" <s_i_d_j () yahoo com>; <snort-users () lists sourceforge net> Sent: Tuesday, May 29, 2001 6:42 AM Subject: Re: [Snort-users] Snort reporting and alerting
On Sun, 27 May 2001, Sid wrote:Hi, I believe any IDS implementation is not very effective unless you have a real time reporting/alerting mechanism and also for filtering out the
less
important alerts from the real threatening ones. So, i would like to
know
how do people using Snort are doing this. I am trying to put some perl
code
together for the same and would like suggestions on what kind of reports
and
in what format would be useful.Snort -> syslog and swatch is a nice combination if you absolutely must have that latest portscan address delivered to you right now.. As far as real-time alerting.... it's cool if you can afford to have
someone
watching those logs 24x7 but that is a luxury very few have. Most people are happy if they even have a knowledgeable analyst sampling the alert logs periodically if even at all. BTW when-ever i hear the term real-time, I'm always reminded how easy to misuse that is... I think you mean low-latency alerting, because a daily e-mail summary of alerts is still "real-time" reporting. cheers, --dr
_________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort reporting and alerting Sid (May 27)
- Re: Snort reporting and alerting Dragos Ruiu (May 28)
- Re: Snort reporting and alerting Sid (May 28)
- RE: Snort reporting and alerting Jason Lewis (May 28)
- Re: Snort reporting and alerting Sid (May 28)
- <Possible follow-ups>
- Re: Snort reporting and alerting Andreas Hasenack (May 29)
- Re: Snort reporting and alerting Dragos Ruiu (May 28)