Snort mailing list archives
Re: Snort + email alerts
From: Daniel Cid <danielcid () yahoo com br>
Date: Thu, 15 Jun 2006 00:29:10 -0300 (ART)
In addition to using swatch, you can try ossec to generate e-mails/active responses based on your snort logs. It is much more powerful then swatch (or guardian) because it allows you to alert based on: -Single IDS events. -Mutliple IDS events for same source ip in a specific timeframe. -Multiple IDS events for same snort ID in a specific time. -Only for the first time a Snort ID is seen. -Only for the first time a Snort ID/IP combo is seen. -Only on specific categories. -Only on specific priorities (or any other option you want). -You can ignore specific IPs/Snort IDS. -You can specify maximum number of alerts per hour, and if this number is reached, it will send all the alerts in just one e-mail. -You can ignore automatically rules that alert too often. Oh, ossec also analyzes a lot of other log formats, being easy to integrate with other applications. *Don't take my word for it, because I'm an ossec developer, but you should give it a try. Installation is pretty easy too. Last version: http://www.ossec.net/files/ossec-hids-0.8-3.tar.gz Website: http://www.ossec.net Thanks, -- Daniel B. Cid dcid @ ( at ) ossec.net --- Denis Morejon Lopez <denis () cfg etecsa cu> escreveu:
I was trying to install the swatch rpm to parse the snort logs and send it as email alerts. But I fell into a loop because two rpm packages depended each other. What should I do in this case? Regards _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________________________ Fale com seus amigos de graça com o novo Yahoo! Messenger http://br.messenger.yahoo.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort not seeing everything fname lname (Jun 14)
- Re: Snort not seeing everything Stephen John Smoogen (Jun 14)
- Re: Snort not seeing everything fname lname (Jun 14)
- Re: Snort not seeing everything Eric Hines (Jun 14)
- Re: Snort not seeing everything Stephen John Smoogen (Jun 14)
- Re: Snort + email alerts Denis Morejon Lopez (Jun 14)
- Re: Snort + email alerts Daniel Cid (Jun 14)
- Re: Snort + email alerts Denis Morejon Lopez (Jun 15)
- Re: Snort not seeing everything Stephen John Smoogen (Jun 14)
- Re: Snort not seeing everything fname lname (Jun 16)
- Re: Snort not seeing everything fname lname (Jun 16)
- Re: Snort not seeing everything Stephen John Smoogen (Jun 14)