Snort mailing list archives
swatch alternatives - sec
From: raft na <raft2200 () yahoo com>
Date: Wed, 23 Apr 2003 14:11:46 -0700 (PDT)
I would suggest SEC too http://kodu.neti.ee/~risto/sec/. Its a single perl script and config file, so very easy to get up and running. I was able to get "real time" email alerts and end-of-day emailed reports going fairly easily, but haven't tackled the "this IP is suddenly going beserk" type of alert yet (threshold on SEC jargon). As an example, the following sends an email with IP's and alert description when it sees a snort Prioirty 1 message in the log file. It also adds it to a list of Prioroty 1 alerts that gets emailed at the end of the day. (I'm no regex guru, there may be more elegant expressions, but it works w/ latest snort 2) # Detect the beginning of priority 1 attack from a source IP, # and send a warning e-mail message that a new attack has begun; # also create a context for storing detailed information about the attack type=Single ptype=RegExp pattern=.*] (.*)\[Classification: (.*)\] \[Priority: 1.*} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*-> (\S+) context=!ATTACK_P1_FROM_$3 continue=TakeNext desc=P1 ALERT - $1 - $2 - started from $3 to $4 action=create ATTACK_P1_FROM_$3; add ALERT_P1_REPORT %t: %s; pipe '%t: %s' \ /bin/mail -s 'SNORT: priority 1 attack from $3 (alert)' person () somewhere net # For every priority 1 incident, add an entry to the context by its IP; # if the IP has been quiet for 5 minutes, report the whole attack type=Single ptype=RegExp pattern=.*] (.*)\[Classification: (.*)\] \[Priority: 1.*} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*-> (\S+) context=ATTACK_P1_FROM_$3 continue=TakeNext desc=P1 ALERT - $1 - $2 - started from $3 to $4 action=add ATTACK_P1_FROM_$3 %t: %s; set ATTACK_P1_FROM_$3 300 \ ( report ATTACK_P1_FROM_$3 \ /bin/mail -s 'SNORT: priority 1 attack from $3 (report)' person () somewhere net ) # send daily report about regular P1 alerts type=Calendar time=11 * * * * desc=Sending alert report... action=report ALERT_P1_REPORT \ /bin/mail -s 'SNORT: daily P1 alert report' person () somewhere net; \ delete ALERT_P1_REPORT ==== --------------------------------- Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo.
Current thread:
- swatch alternatives - sec raft na (Apr 25)