Snort mailing list archives
RE: Best real-time alerting tool
From: John Ruff <john () dndlabs net>
Date: Sun, 9 Jun 2002 12:09:53 -0400
One should certainly look into PureSecure from Demarc. It utilizes SNORT, Apache, & MySQL. All the functionality of ACID is their along with configuration of rules, and sensors themselves...all from the Web interface. It also includes Alert functionality for Snort alerts and the availability (up-time) of critical services (HTTP/S, DNS,...etc). Note that the product requires purchasing for commercial use (Enterprise Edition), but the Personal Edition for home use is free. In my opinion it is ACID on steroids. You can read more about the product here: http://www.demarc.com Also you can visit my deployment on my home network here: https://puresecure.dndlabs.net:8443 Click "Anonymous" at the Login screen. You will not be able to view rule and alerting configs bur you can email me if you would like a login for that. Cheers! John -- GnuPG Public Key: https://www.dndlabs.net/pgpkey/listing.php Key Fingerprint = 73D0 EDCC D5ED A6C0 1324 A85E 4957 D3C6 FA6C F3AE --__--__-- Message: 1 From: Fraser Hugh <hugh_fraser () dofasco ca> To: "Snort List (E-mail)" <snort-users () lists sourceforge net>, "'paul.sheahan () priceline com'" <paul.sheahan () priceline com> Subject: RE: [Snort-users] Best real-time alerting tool Date: Thu, 6 Jun 2002 09:58:32 -0400 As is often the case, it depends upon how much budget you have to spend on the solution. There are very good commercial solutions (NetCool is one I've seen in action; expensive, but very comprehensive and would do everything you've asking for). On the assumption that you're using Snort because it's both an excellent tool and inexpensive to deploy, I'll recommend ACID as an analysis and real-time display tool. But I prefer exception reporting, so I've configured Snort to log to a database, and have developed some scripts and triggers to watch events as they occur and page/email me if I've flagged them in an additional database table. Nothing terribly sophisticated. Paging is handled using Hylafax. I've also written some simple perl scripts to incorporate SNMP events from a commercial IDS we're using, and a syslog handler to process W2K and NT events forwarded through a syslog service. These non-Snort events all get munged and inserted into the database to be analyzed by ACID. If Snort is configured to log to a database, it will support multiple sensors, and ACID can be used to some correlation. If, by correlation, you mean more sophisticated functions to do event reduction, suppression, etc., then there's not much non-commercial software available. SEC (Simple Event Correlation) can do some of this, but it's not well integrated into other tools. I'm currently playing with some statistical analysis (control chart theory) to watch for changes in behaviour, and have good results sifting through the thousands of events I see each day to pick out the handful of significant things. Hope this helps.
I'm starting research for the best real time alerting tool for Snort and want to get feedback from everyone. I'm looking for the following features, can anyone recommend a product or products? I need these features: * Real time window where I can watch alerts as they occur * Real time alerting option via email and/or pager for alerts I choose * Best tool for correlation and historical analysis of data across multiple Snort sensors Thanks! Paul Sheahan Manager of Information Security Priceline.com paul.sheahan () priceline com _______________________________________________________________
_______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Best real-time alerting tool, (continued)
- RE: Best real-time alerting tool Don (Jun 04)
- RE: Best real-time alerting tool Tom Sevy (Jun 05)
- RE: Best real-time alerting tool Sheahan, Paul (PCLN-NW) (Jun 05)
- Re: Best real-time alerting tool CJATeck (Jun 05)
- RE: Best real-time alerting tool Ryan Hill (Jun 05)
- icmp i want to ignore Don (Jun 05)
- Re: icmp i want to ignore Steve Scott (Jun 05)
- Re: icmp i want to ignore Erek Adams (Jun 05)
- icmp i want to ignore Don (Jun 05)
- RE: Best real-time alerting tool Fraser Hugh (Jun 06)
- RE: Best real-time alerting tool Fraser Hugh (Jun 07)
- RE: Best real-time alerting tool John Ruff (Jun 09)