Snort mailing list archives
RE: sending alerts by email / active response Win2K system [RMC-J7FLJI4]
From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Tue, 28 Jan 2003 18:27:08 -0500
(FYI: I'm now using EventSentry Light). I've include below the text of an e-mail I received from a Snort Alert, which EventSentry sent to me via e-mail: EVENT # 136437 EVENTLOG Application EVENT TYPE INFORMATION SOURCE snort EVENT ID 1 COMPUTERNAME SNORT-NT4 TIME 01/28/2003 5:58:59 PM MESSAGE [1:1002:5] WEB-IIS cmd.exe access [Classification: Web Application Attack] [Priority: 1]: {TCP} 63.117.225.193:1056 -> 10.0.1.214:80 EVENT # 136438 EVENTLOG Application EVENT TYPE INFORMATION SOURCE snort EVENT ID 1 COMPUTERNAME SNORT-NT4 TIME 01/28/2003 5:58:59 PM MESSAGE [1:1201:6] ATTACK RESPONSES 403 Forbidden [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 10.0.1.214:80 -> 63.117.225.193:1056 I basically filter on Application Log, Information events, 'snort' as the source, and '[Priority: 1]' as the message text. Cheers! Christopher -----Original Message----- From: Michael Steele [mailto:michaels () silicondefense com] Sent: Tuesday, January 28, 2003 4:52 PM To: 'L. Christopher Luther'; 'Romulo M. Cholewa' Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] sending alerts by email / active response Win2K system [RMC-J7FLJI4] Christopher, Anyone, etc. I'm trying the program now, but I still unable to get it to alert on anything. What I am trying to do is alert on "Priority: 1" alerts only. Maybe it's not possible to parse the actual alert and grab content and alert on that content? Any hints as to how to accomplish this? -Michael -- Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of L. Christopher Luther Sent: Tuesday, January 28, 2003 11:16 AM To: 'Michael Steele'; 'Romulo M. Cholewa' Cc: 'snort-users () lists sourceforge net' Subject: RE: [Snort-users] sending alerts by email / active response Win2K system [RMC-J7FLJI4] Ask and ye shall receive: EventSentry Light - http://www.netikus.net/products_downloads.html I've not compared the functionality of EventSentry Light to the original EventWatchNT, but I really liked EventWatchNT. For a freeware Event Log monitor, it just could not be beat (IMHO). I personally like the freeware version Kiwi Syslog Daemon, but unfortunately, the filter/trigger e-mail functionality is only available in the registered product. (sigh...) Cheers! Christopher -----Original Message----- From: "Michael Steele" <michaels () silicondefense com> To: "'Romulo M. Cholewa'" <rmc () rmc eti br>, <snort-users () lists sourceforge net> Subject: RE: [Snort-users] sending alerts by email / active response Win2K system [RMC-J7FLJI4] Date: Tue, 28 Jan 2003 07:44:52 -0800 Romulo, You will need something like Syslog Daemon and run the alerts through that. It has an option of emailing on certain triggers. If you find a free tool that works, please let us windows folks know. The alerts can be sent to the Event Viewer, application log in Windows and if you can find something to parse that file and alert, that would be great. -Michael Michael Steele | System Engineer / Support Technician =20 mailto:michaels () silicondefense com =20 Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org
Current thread:
- RE: sending alerts by email / active response Win2K system [RMC-J7FLJI4] L. Christopher Luther (Jan 28)
- RE: sending alerts by email / active response Win2K system [RMC-J7FLJI4] Michael Steele (Jan 28)
- <Possible follow-ups>
- RE: sending alerts by email / active response Win2K system [RMC-J7FLJI4] L. Christopher Luther (Jan 28)
- RE: sending alerts by email / active response Win2K system [RMC-J7FLJI4] Semerjian, Ohanes (Jan 28)