IDS mailing list archives
Re: alert messages
From: "SecurIT Informatique Inc." <securit () iquebec com>
Date: Thu, 04 Mar 2004 15:31:46 -0500
Hello.I don't think there's any simple "math" to adequately answer your request, especially with so little specifics info about the kind of alerts your sensor deals with. Anyway, that's not the point.
I have made a tool called LogAgent Pro 5.2 that was created partly in order to help solve this kind of problem. LogAgent is a log file monitoring and analyzing program, which will monitor in real-time any ASCII log file and the Event Viewer and apply rules you have defined related to the appropriate fields for each log. Data can be gathered together in simple reports, which you can send when a certain number of alerts is reached and/or when a specified amount of time is elapsed. So, if you're receiving 65000 alerts from a noisy port scan, you can easily gather them into reports of 1000 events each, which would generate only 65 messages, while still catching less noisy scans by still sending a report when a time-limit is reached without waiting to have collected 1000 events. You can also use this to get notified on Priorities 1 alerts only, etc...
One of the rules you can use with LogAgent allows you to call external programs (like a SMS messaging program or a pager system), and pass log data as parameters so you can customize your alert messages more than just "You have received 1000 alerts."
It's true that you could achieve mostly the same results with some scripting, but if you're looking for an already built solution, here it is.
You can get an eval copy of the software at http://securit.iquebec.com/. Hope this helps. Adam Richard SécurIT Informatique Inc. At 01:52 PM 03/03/2004, Rodrigo B. Ramos wrote:
Hi! Can anyone help me in the following job? The X Company has more than 1000 machines (desktop and servers) on their WAN. They installed snort as an IDS, they are logging remotely and sending alerts by email and by sms to mobiles. What are the best steps to customize the alerts? The phone company thought that the servers were doing some spam jobs. They send many, many alerts and probably almost flood the phone phone company network. What is the best way to tell the system to send alerts? Which math should I use? I know I can know have to disable some types of rules that just can't affect the ambient, I know I can count packets by priorities, by type of alerts, by packets, ... But what math can I use to send the alerts without flooding mail boxes and mobiles? Best Regards, -- Rodrigo Buarque Ramos GPG KEY ID: 0x71CFE098 --> http://pgp.mit.edu Key fingerprint = F381 366D D233 22B4 7E72 A21D DE9B 2FF3 71CF E098 55 81 88513524 55 81 3463.1593 http://www.triforsec.com.br http://www.defenselayer.com --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless securityProtect your network against hackers, viruses, spam and other risks with AstaroSecurity Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301 --------------------------------------------------------------------------- _____________________________________________________________________ Un mot doux à envoyer? Une sortie ciné à organiser? Faites le en temps réel avec MSN Messenger! C'est gratuit! http://ifrance.com/_reloc/m
--------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301 ---------------------------------------------------------------------------
Current thread:
- alert messages Rodrigo B. Ramos (Mar 03)
- RE: alert messages Aditya, ALD [Aditya Lalit Deshmukh] (Mar 04)
- Re: alert messages SecurIT Informatique Inc. (Mar 08)
- RE: alert messages Phil Hollows (Mar 12)
- Re: alert messages Thomas (Mar 12)