Snort mailing list archives
Re: Real Time Alert and Variables
From: Nicholas Horton <fivetenets () me com>
Date: Tue, 12 Feb 2013 08:18:20 -0500
Thanks Martin. I will post with the ELSA mailing list my specific case. Thanks again, Nick On Feb 11, 2013, at 9:54 PM, Martin Holste <mcholste () gmail com> wrote:
I'll speak up regarding ELSA, as the open source project owner. You can monitor logs (like Snort alerts) very easily for generic things like "trojan" or "exploit kit" or more advanced queries which mix proxy logs with Snort alerts to find correlated alerts like: "user_agent:java groupby:srcip | subsearch(sig_msg:trojan)" and then send that to a connector, like email alerts, which is built-in. You can also easily write your own plugin in a few lines of Perl (or whatever language you want, then invoke from Perl) to do more advanced things, like shutdown ports, login to web apps, etc. If you want, you can post your specific use case over on the ELSA mailing list (enterprise-log-search-and-archive.googlegroups.com) and I'll write the plugin for you. On Thu, Feb 7, 2013 at 11:11 AM, Nicholas Horton <fivetenets () me com> wrote:Thanks Jeremy. Thanks James. I take a look at them. Nick On Feb 7, 2013, at 12:01 PM, "Lay, James" <james.lay () wincofoods com> wrote:-----Original Message----- From: Jeremy Hoel [mailto:jthoel () gmail com] Sent: Thursday, February 07, 2013 9:50 AM To: Nicholas Horton Cc: Michael Steele; Snort Users Subject: Re: [Snort-users] Real Time Alert and Variables You might want to check out ELSA and greylog. We use greylog to get emails from logs that go to it. They are kind of log viewers that are both getting better. WOTS (perl) and SEC (Simple Event Correlator) come to mind as well. James ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Real Time Alert and Variables, (continued)
- Re: Real Time Alert and Variables Michael Steele (Jan 31)
- Message not available
- Re: Real Time Alert and Variables Michael Steele (Jan 31)
- Re: Real Time Alert and Variables Justin (Jan 31)
- Re: Real Time Alert and Variables Nicholas Horton (Feb 06)
- Re: Real Time Alert and Variables Joel Esler (Feb 06)
- Re: Real Time Alert and Variables Nicholas Horton (Feb 07)
- Re: Real Time Alert and Variables Jeremy Hoel (Feb 07)
- Re: Real Time Alert and Variables Lay, James (Feb 07)
- Re: Real Time Alert and Variables Nicholas Horton (Feb 07)
- Re: Real Time Alert and Variables Martin Holste (Feb 11)
- Re: Real Time Alert and Variables Nicholas Horton (Feb 12)
- Re: Real Time Alert and Variables Nicholas Horton (Feb 12)