Snort mailing list archives
Re: Real Time Alert and Variables
From: Jeremy Hoel <jthoel () gmail com>
Date: Thu, 7 Feb 2013 16:50:07 +0000
You might want to check out ELSA and greylog. We use greylog to get emails from logs that go to it. They are kind of log viewers that are both getting better. On Thu, Feb 7, 2013 at 3:50 PM, Nicholas Horton <fivetenets () me com> wrote:
Thanks Joel. I see. I also saw the monitoring and alerting functionality I'm looking for is in their enterprise edition and not the free one. Oh well :) Looks like ill go back to your swatch solution unless there is anything else out there for real time specific alerting and sending variables to the shell to run in a script. Thanks again Nick On Feb 6, 2013, at 11:10 AM, Joel Esler <jesler () sourcefire com> wrote: I did a quick Google: Download Splunk Enterprise for free. You'll get a Splunk Enterprise license for 60 days and you can index up to 500 megabytes of data per day. You can convert to a perpetual Free license or purchase an Enterprise license to continue using the expanded functionality designed for multi-user deployments. http://www.splunk.com/download?r=header -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Feb 6, 2013, at 8:50 AM, Nicholas Horton <fivetenets () me com> wrote: Was anyone able to verify this? Is splunk for snort free or just a 60day trial? Nick On Jan 31, 2013, at 10:58 AM, Michael Steele <michaels () winsnort com> wrote: I'm told that Splunk has a 60 day trial and e-mail will not function after that day. Any truth to that? Best regards, Michael... -----Original Message----- From: Greg Williams [mailto:gwillia5 () uccs edu] Sent: Monday, January 28, 2013 12:26 AM To: Michael Steele Cc: Snort Users Subject: Re: [Snort-users] Real Time Alert and Variables Yes, exactly. I added fast alerts to my barnyard config, it should be the same in snort.conf. Splunk is a log management system on steroids. I use BASE and Snorby for full packet analysis, but Splunk for trending and alerting. With Splunk I can correlate the IPs from the alerts with dhcp snooping logs to and run a script on a scheduled query to shut down a port. I also use it to give me daily reports on the number of P2P client alerts seen on specific subnets. Example query is as simple as: Sourcetype=snort P2P starthoursago=24 | stats count by Name On Jan 27, 2013, at 10:44 PM, "Michael Steele" <michaels () winsnort com> wrote: I'm intrigued. So I add to my snort.conf output alert_fast: alert.ids I can use Splunk to watch the alert.ids file and trigger on patterns? Best regards, Michael... -----Original Message----- From: Greg Williams [mailto:gwillia5 () uccs edu] Sent: Sunday, January 27, 2013 4:11 PM To: Nicholas Horton Cc: Snort Users Subject: Re: [Snort-users] Real Time Alert and Variables Absolutely. It's an amazing piece of software. Nicholas Horton <fivetenets () me com> wrote: Perfect. Thanks Greg. Ill take a look. I use snorby for alert gathering but just need another piece for performing automated tasks based on an alert. Will Splunk pass variables to the script such as the source IP from an alert? Nick On Jan 27, 2013, at 3:19 PM, Greg Williams <gwillia5 () uccs edu> wrote: Nick, I use Splunk to do this. I feed Splunk the fast alerts and the either send emails or run scripts off specific matched criteria. Example shutdown a port based on more than 5 outbound ZeroAccess alerts in 5 minutes. Nicholas Horton <fivetenets () me com> wrote: Is this referring to alert, drop, log, pass, etc? If so are you saying its possible that I can create a type to have to execute a command to the shell based on a specific alert? This is what I'm looking for. For example if rule 1:2924 gets triggered I not only want to alert me about it but actually kick of a script to so something in case it's in the middle of the night or I'm simply at lunch. To automate certain known alerts that are harmful and could spread though the LAN. Maybe I would even shut off the switch port that the device is connected to if it has virus. Does snort have this ability? Can barnyard2? I like using abilities of a given program and would prefer not adding another layer of complexity to the equation such as swatch but if that is what I need ill use it. What is the best practice for having scripts kick off to the shell based on specific alerts? Thanks again Nick On Jan 25, 2013, at 12:08 PM, Nicholas Horton <fivetenets () me com<mailto:fivetenets () me com>> wrote: Perfect. Thanks. Ill take a look in the manual. Nick On Jan 25, 2013, at 12:00 PM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote: You can also use custom action types. You define them in snort.conf file, and use the new custom action type with your rules. Sorry can't provide resources at the moment, but it should be in the manual. YM ________________________________ From: Nicholas Horton<mailto:fivetenets () me com> Sent: 1/25/2013 7:26 PM To: Snort Users<mailto:snort-users () lists sourceforge net> Subject: [Snort-users] Real Time Alert and Variables Is swatch still the best, only, current solution to kick off a script with variables such as source ip based on a specific snort alert? Nick -------------------------------------------------------------------- -- -------- Master Visual Studio, SharePoint, SQL, ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users@lists.sourcefor ge .net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort- users Please visit http://blog.snort.org to stay current on all the latest Snort news! -------------------------------------------------------------------- -- -------- Master Visual Studio, SharePoint, SQL, ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users@lists.sourcefor ge .net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort- users Please visit http://blog.snort.org to stay current on all the latest Snort news! ---------------------------------------------------------------------- ------ -- Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort- users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Real Time Alert and Variables, (continued)
- Re: Real Time Alert and Variables Greg Williams (Jan 27)
- Re: Real Time Alert and Variables Nicholas Horton (Jan 27)
- Re: Real Time Alert and Variables Michael Steele (Jan 27)
- Re: Real Time Alert and Variables Greg Williams (Jan 27)
- Re: Real Time Alert and Variables Michael Steele (Jan 31)
- Message not available
- Re: Real Time Alert and Variables Michael Steele (Jan 31)
- Re: Real Time Alert and Variables Justin (Jan 31)
- Re: Real Time Alert and Variables Nicholas Horton (Feb 06)
- Re: Real Time Alert and Variables Joel Esler (Feb 06)
- Re: Real Time Alert and Variables Nicholas Horton (Feb 07)
- Re: Real Time Alert and Variables Jeremy Hoel (Feb 07)
- Re: Real Time Alert and Variables Lay, James (Feb 07)
- Re: Real Time Alert and Variables Nicholas Horton (Feb 07)
- Re: Real Time Alert and Variables Martin Holste (Feb 11)
- Re: Real Time Alert and Variables Nicholas Horton (Feb 12)
- Re: Real Time Alert and Variables Nicholas Horton (Feb 12)