Snort mailing list archives
RE: Alerting Snort (sending alert through pager)
From: "Wirth, Jeff" <WirthJe () DNB com>
Date: Fri, 3 May 2002 12:25:36 -0400
From: Alwin Raymundo [mailto:alrayworld () yahoo com]
Hi Jeff,
Hello Alwin...
I'm reading your response regarding the "Alerting snort using swatch". Im very interested regarding sending an email or page to my RIM. I look at the snort FAQ but I cant find detailed information regarding ATTACK RESPONSE I know this alert will not create a false positive alert.
^^^ Well, I wouldn't go that far...I've had a *few* (luckily not at 2:00 am, yet ;-), but I am willing to live with this..
Can you give me some direction or some sort of how to.
If you are thinking about swatch as a solution and it's not the only one, check-out... http://www.oit.ucsb.edu/~eta/swatch/ http://rr.sans.org/sysadmin/swatch.php http://www.enteract.com/~lspitz/swatch.html http://www.cert.org/security-improvement/implementations/i042.01.html
Do I need to add some parameters to attack-response.rules?
Nope. Swatch will monitor your syslog entries looking for entries that you define. If it makes a match it will react as you instruct it to, i.e. e-mail your pager. Which means you need to be logging Snort to syslog.. http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.1 , also check your local man page for syslog and syslogd for additional information (you are running *nix I hope). Side Note:.....I've seen too many people using commercial NIDS getting paged/e-mail on all sorts of attack stimulus (I think this is why e-mail filters where created). And why, does attack stimulus == compromise? not quite. Well then, does response == compromise? maybe. In short, response to stimulus is either black or white, it's is either what you expected or it isn't. And it's the unexpected we need to be concerned with... Well have to go...My pager just went off ;-) Hope this helps, - Jeff _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Alerting Snort (sending alert through pager) Wirth, Jeff (May 03)
- RE: Alerting Snort (sending alert through pager) Alwin Raymundo (May 06)