Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: sending alerts by email / active response Win2K system [RMC-J7FLJI4]

From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Tue, 28 Jan 2003 18:27:08 -0500
(FYI: I'm now using EventSentry Light).  I've include below the text of an
e-mail I received from a Snort Alert, which EventSentry sent to me via
e-mail: 

EVENT #       136437
EVENTLOG      Application
EVENT TYPE    INFORMATION
SOURCE        snort
EVENT ID      1
COMPUTERNAME  SNORT-NT4
TIME          01/28/2003 5:58:59 PM
MESSAGE       [1:1002:5] WEB-IIS cmd.exe access [Classification: Web
Application Attack] [Priority: 1]: {TCP} 63.117.225.193:1056 ->
10.0.1.214:80

EVENT #       136438
EVENTLOG      Application
EVENT TYPE    INFORMATION
SOURCE        snort
EVENT ID      1 
COMPUTERNAME  SNORT-NT4
TIME          01/28/2003 5:58:59 PM
MESSAGE       [1:1201:6] ATTACK RESPONSES 403 Forbidden [Classification:
Attempted Information Leak] [Priority: 2]: {TCP} 10.0.1.214:80 ->
63.117.225.193:1056

I basically filter on Application Log, Information events, 'snort' as the
source, and '[Priority: 1]' as the message text.  


Cheers!
  Christopher

-----Original Message-----
From: Michael Steele [mailto:michaels () silicondefense com]
Sent: Tuesday, January 28, 2003 4:52 PM
To: 'L. Christopher Luther'; 'Romulo M. Cholewa'
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] sending alerts by email / active response Win2K
system [RMC-J7FLJI4]


Christopher, Anyone, etc.

I'm trying the program now, but I still unable to get it to alert on
anything. What I am trying to do is alert on "Priority: 1" alerts only.
Maybe it's not possible to parse the actual alert and grab content and alert
on that content? Any hints as to how to accomplish this?

   -Michael

--
 Michael Steele | System Engineer / Support Technician
mailto:michaels () silicondefense com
 Silicon Defense: IDS solutions - http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of L. Christopher
Luther
Sent: Tuesday, January 28, 2003 11:16 AM
To: 'Michael Steele'; 'Romulo M. Cholewa'
Cc: 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] sending alerts by email / active response Win2K
system [RMC-J7FLJI4]

Ask and ye shall receive: 

    EventSentry Light - http://www.netikus.net/products_downloads.html

I've not compared the functionality of EventSentry Light to the original
EventWatchNT, but I really liked EventWatchNT.  For a freeware Event Log
monitor, it just could not be beat (IMHO). 

I personally like the freeware version Kiwi Syslog Daemon, but
unfortunately, the filter/trigger e-mail functionality is only available in
the registered product.  (sigh...)

Cheers!

  Christopher


-----Original Message-----
From: "Michael Steele" <michaels () silicondefense com>
To: "'Romulo M. Cholewa'" <rmc () rmc eti br>,
        <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] sending alerts by email / active response Win2K
system [RMC-J7FLJI4]
Date: Tue, 28 Jan 2003 07:44:52 -0800

Romulo,

You will need something like Syslog Daemon and run the alerts through that.
It has an option of emailing on certain triggers. If you find a free tool
that works, please let us windows folks know. The alerts can be sent to the
Event Viewer, application log in Windows and if you can find something to
parse that file and alert, that would be great.

-Michael
 Michael Steele | System Engineer / Support Technician    =20
 mailto:michaels () silicondefense com   =20
 Silicon Defense: IDS solutions - http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org
Previous By Date Next
Previous By Thread Next

Current thread: