Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Alerting Snort (sending alert through pager)

From: "Wirth, Jeff" <WirthJe () DNB com>
Date: Fri, 3 May 2002 12:25:36 -0400
From: Alwin Raymundo [mailto:alrayworld () yahoo com]

Hi Jeff,


Hello Alwin...



I'm reading your response regarding the "Alerting
snort using swatch".  Im very interested regarding
sending an email or page to my RIM.

I look at the snort FAQ but I cant find detailed
information regarding ATTACK RESPONSE I know this
alert will not create a false positive alert.

             ^^^
Well, I wouldn't go that far...I've had a *few* (luckily not at 2:00 am, yet
;-), but I am willing to live with this..



Can you give me some direction or some sort of how to.


If you are thinking about swatch as a solution and it's not the only one,
check-out...

http://www.oit.ucsb.edu/~eta/swatch/

http://rr.sans.org/sysadmin/swatch.php

http://www.enteract.com/~lspitz/swatch.html

http://www.cert.org/security-improvement/implementations/i042.01.html


 Do I need to add some parameters to
attack-response.rules?


Nope.  Swatch will monitor your syslog entries looking for entries that you
define.  If it makes a match it will react as you instruct it to, i.e.
e-mail your pager.  Which means you need to be logging Snort to syslog..
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.1 , also check
your local man page for syslog and syslogd for additional information (you
are running *nix I hope).

Side Note:.....I've seen too many people using commercial NIDS getting
paged/e-mail on all sorts of attack stimulus (I think this is why e-mail
filters where created).  And why, does attack stimulus == compromise? not
quite.  Well then, does response == compromise?  maybe.  In short, response
to stimulus is either black or white, it's is either what you expected or it
isn't.  And it's the unexpected we need to be concerned with...

Well have to go...My pager just went off ;-)

Hope this helps,

- Jeff








_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: