RE: Alerting Snort (sending alert through pager)

[Alwin Raymundo <alrayworld () yahoo com>]

Hi Jeff,

I'm using redhat 7.0 on my snort but the logging
facility that I setup was mysql and binary.

Logging all alerts to mysql is another linux box which
is internal (intranet).  The binary is log through
snort box /var/log/snort

It is possible that you have a third logging options
like in syslog?.

your quick response will be highly appreciated.

Thanks in advance.



--- "Wirth, Jeff" <WirthJe () DNB com> wrote:
> From: Alwin Raymundo [mailto:alrayworld () yahoo com]
> > Hi Jeff,
>
> Hello Alwin...
>
> > I'm reading your response regarding the "Alerting
> > snort using swatch".  Im very interested regarding
> > sending an email or page to my RIM.
> >
> > I look at the snort FAQ but I cant find detailed
> > information regarding ATTACK RESPONSE I know this
> > alert will not create a false positive alert.
>              ^^^
> Well, I wouldn't go that far...I've had a *few*
> (luckily not at 2:00 am, yet
> ;-), but I am willing to live with this..
>
> > Can you give me some direction or some sort of how
> to.
>
> If you are thinking about swatch as a solution and
> it's not the only one,
> check-out...
>
> http://www.oit.ucsb.edu/~eta/swatch/
>
> http://rr.sans.org/sysadmin/swatch.php
>
> http://www.enteract.com/~lspitz/swatch.html
http://www.cert.org/security-improvement/implementations/i042.01.html
> >  Do I need to add some parameters to
> > attack-response.rules?
>
> Nope.  Swatch will monitor your syslog entries
> looking for entries that you
> define.  If it makes a match it will react as you
> instruct it to, i.e.
> e-mail your pager.  Which means you need to be
> logging Snort to syslog..
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.1
> , also check
> your local man page for syslog and syslogd for
> additional information (you
> are running *nix I hope).
>
> Side Note:.....I've seen too many people using
> commercial NIDS getting
> paged/e-mail on all sorts of attack stimulus (I
> think this is why e-mail
> filters where created).  And why, does attack
> stimulus == compromise? not
> quite.  Well then, does response == compromise? 
> maybe.  In short, response
> to stimulus is either black or white, it's is either
> what you expected or it
> isn't.  And it's the unexpected we need to be
> concerned with...
>
> Well have to go...My pager just went off ;-)
>
> Hope this helps,
>
> - Jeff


=====
Alwin Raymundo

__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users