Re: Real Time Alert and Variables

["Michael Steele" <michaels () winsnort com>]

I'm told that Splunk has a 60 day trial and e-mail will not function after
that day.

Any truth to that?

Best regards,
Michael...

> -----Original Message-----
> From: Greg Williams [mailto:gwillia5 () uccs edu]
> Sent: Monday, January 28, 2013 12:26 AM
> To: Michael Steele
> Cc: Snort Users
> Subject: Re: [Snort-users] Real Time Alert and Variables
>
> Yes, exactly.  I added fast alerts to my barnyard config, it should be the
same
> in snort.conf.  Splunk is a log management system on steroids.  I use BASE
> and Snorby for full packet analysis, but Splunk for trending and alerting.
With
> Splunk I can correlate the IPs from the alerts with dhcp snooping logs to
and
> run a script on a scheduled query to shut down a port.  I also use it to
give me
> daily reports on the number of P2P client alerts seen on specific subnets.
> Example query is as simple as:
>
> Sourcetype=snort P2P starthoursago=24 | stats count by Name
>
> On Jan 27, 2013, at 10:44 PM, "Michael Steele" <michaels () winsnort com>
> wrote:
>
> > I'm intrigued.
> >
> > So I add to my snort.conf
>
> > output alert_fast: alert.ids
> >
> > I can use Splunk to watch the alert.ids file and trigger on patterns?
> >
> > Best regards,
> > Michael...
> >
> > > -----Original Message-----
> > > From: Greg Williams [mailto:gwillia5 () uccs edu]
> > > Sent: Sunday, January 27, 2013 4:11 PM
> > > To: Nicholas Horton
> > > Cc: Snort Users
> > > Subject: Re: [Snort-users] Real Time Alert and Variables
> > >
> > > Absolutely. It's an amazing piece of software.
> > >
> > > Nicholas Horton <fivetenets () me com> wrote:
> > >
> > >
> > > Perfect. Thanks Greg. Ill take a look.
> > >
> > > I use snorby for alert gathering but just need another piece for
> > performing
> > > automated tasks based on an alert.
> > >
> > > Will Splunk pass variables to the script such as the source IP from
> > > an
> > alert?
> > > Nick
> > >
> > > On Jan 27, 2013, at 3:19 PM, Greg Williams <gwillia5 () uccs edu> wrote:
> > >
> > > > Nick, I use Splunk to do this.  I feed Splunk the fast alerts and
> > > > the
> > either
> > > send emails or run scripts off specific matched criteria. Example
> > > shutdown
> > a
> > > port based on more than 5 outbound ZeroAccess alerts in 5 minutes.
> > > > Nicholas Horton <fivetenets () me com> wrote:
> > > >
> > > >
> > > >
> > > > Is this referring to alert, drop, log, pass, etc?
> > > >
> > > > If so are you saying its possible that I can create a type to have
> > > > to
> > execute a
> > > command to the shell based on a specific alert?
> > > > This is what I'm looking for.
> > > >
> > > > For example if rule 1:2924 gets triggered I not only want to alert
> > > > me
> > about it
> > > but actually kick of a script to so something in case it's in the
> > > middle
> > of the
> > > night or I'm simply at lunch.  To automate certain known alerts that
> > > are harmful and could spread though the LAN. Maybe I would even shut
> > > off the switch port that the device is connected to if it has virus.
> > > > Does snort have this ability?  Can barnyard2?  I like using
> > > > abilities of
> > a given
> > > program and would prefer not adding another layer of complexity to
> > > the equation such as swatch but if that is what I need ill use it.
> > > > What is the best practice for having scripts kick off to the shell
> > > > based
> > on
> > > specific alerts?
> > > > Thanks again
> > > > Nick
> > > >
> > > > On Jan 25, 2013, at 12:08 PM, Nicholas Horton
> > > <fivetenets () me com<mailto:fivetenets () me com>> wrote:
> > > > Perfect. Thanks. Ill take a look in the manual.
> > > >
> > > > Nick
> > > >
> > > > On Jan 25, 2013, at 12:00 PM, Y M
> > > <snort () outlook com<mailto:snort () outlook com>> wrote:
> > > > You can also use custom action types. You define them in snort.conf
> > file,
> > > and use the new custom action type with your rules. Sorry can't
> > > provide resources at the moment, but it should be in the manual.
> > > > YM
> > > > ________________________________
> > > > From: Nicholas Horton<mailto:fivetenets () me com>
> > > > Sent: ‎1/‎25/‎2013 7:26 PM
> > > > To: Snort Users<mailto:snort-users () lists sourceforge net>
> > > > Subject: [Snort-users] Real Time Alert and Variables
> > > >
> > > > Is swatch still the best, only, current solution to kick off a
> > > > script
> > with
> > > variables such as source ip based on a specific snort alert?
> > > > Nick
> > > >
> > > > --------------------------------------------------------------------
> > > > --
> > > > -------- Master Visual Studio, SharePoint, SQL,
> > > > ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps,
> > > > JavaScript and much more. Keep your skills current with LearnDevNow
> > > > -
> > > > 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON
> > > > SALE this month only -- learn more at:
> > > > http://p.sf.net/sfu/learnnow-d2d
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net<mailto:Snort-users@lists.sourcefor
> > > > ge .net> Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> users
> > > > Please visit http://blog.snort.org to stay current on all the latest
> > Snort
> > > news!
> > > > --------------------------------------------------------------------
> > > > --
> > > > -------- Master Visual Studio, SharePoint, SQL,
> > > > ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps,
> > > > JavaScript and much more. Keep your skills current with LearnDevNow
> > > > -
> > > > 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON
> > > > SALE this month only -- learn more at:
> > > > http://p.sf.net/sfu/learnnow-d2d
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net<mailto:Snort-users@lists.sourcefor
> > > > ge .net> Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> users
> > > > Please visit http://blog.snort.org to stay current on all the latest
> > Snort
> > > news!
> > ----------------------------------------------------------------------
> > ------
> > --
> > > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> > > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills
> > > current with LearnDevNow - 3,200 step-by-step video tutorials by
> > > Microsoft MVPs and experts. ON SALE this month only -- learn more at:
> > > http://p.sf.net/sfu/learnnow-d2d
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> users
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort
> > news!



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!