Snort mailing list archives

RE: Best real-time alerting tool

From: John Ruff <john () dndlabs net>
Date: Sun, 9 Jun 2002 12:09:53 -0400

One should certainly look into PureSecure from Demarc.  It utilizes SNORT, 
Apache, & MySQL.  All the functionality of ACID is their along with 
configuration of rules, and sensors themselves...all from the Web interface.  
It also includes Alert functionality for Snort alerts and the availability 
(up-time) of critical services (HTTP/S, DNS,...etc).  Note that the product 
requires purchasing for commercial use (Enterprise Edition), but the Personal 
Edition for home use is free.  In my opinion it is ACID on steroids.

You can read more about the product here: http://www.demarc.com

Also you can visit my deployment on my home network here: 
https://puresecure.dndlabs.net:8443

Click "Anonymous" at the Login screen.  You will not be able to view rule and 
alerting configs bur you can email me if you would like a login for that.

Cheers!
John
-- 
GnuPG Public Key: https://www.dndlabs.net/pgpkey/listing.php
Key Fingerprint = 73D0 EDCC D5ED A6C0 1324  A85E 4957 D3C6 FA6C F3AE

--__--__--

Message: 1
From: Fraser Hugh <hugh_fraser () dofasco ca>
To: "Snort List (E-mail)" <snort-users () lists sourceforge net>,
        "'paul.sheahan () priceline com'" <paul.sheahan () priceline com>
Subject: RE: [Snort-users] Best real-time alerting tool
Date: Thu, 6 Jun 2002 09:58:32 -0400 

As is often the case, it depends upon how much budget you have to spend on
the solution. There are very good commercial solutions (NetCool is one I've
seen in action; expensive, but very comprehensive and would do everything
you've asking for).

On the assumption that you're using Snort because it's both an excellent
tool and inexpensive to deploy, I'll recommend ACID as an analysis and
real-time display tool. But I prefer exception reporting, so I've configured
Snort to log to a database, and have developed some scripts and triggers to
watch events as they occur and page/email me if I've flagged them in an
additional database table. Nothing terribly sophisticated. Paging is handled
using Hylafax. I've also written some simple perl scripts to incorporate
SNMP events from a commercial IDS we're using, and a syslog handler to
process W2K and NT events forwarded through a syslog service. These
non-Snort events all get munged and inserted into the database to be
analyzed by ACID.

If Snort is configured to log to a database, it will support multiple
sensors, and ACID can be used to some correlation. If, by correlation, you
mean more sophisticated functions to do event reduction, suppression, etc.,
then there's not much  non-commercial software available. SEC (Simple Event
Correlation) can do some of this, but it's not well integrated into other
tools. I'm currently playing with some statistical analysis (control chart
theory) to watch for changes in behaviour, and have good results sifting
through the thousands of events I see each day to pick out the handful of
significant things.

Hope this helps.


I'm starting research for the best real time alerting tool 
for Snort and
want to get feedback from everyone. I'm looking for the 
following features,
can anyone recommend a product or products? I need these features:

*     Real time window where I can watch alerts as they occur
*     Real time alerting option via email and/or pager for 
alerts I choose
*     Best tool for correlation and historical analysis of data across
multiple Snort sensors

Thanks!

Paul Sheahan
Manager of Information Security
Priceline.com
paul.sheahan () priceline com



_______________________________________________________________




_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: Best real-time alerting tool, (continued)
- RE: Best real-time alerting tool Don (Jun 04)
- RE: Best real-time alerting tool Tom Sevy (Jun 05)
- RE: Best real-time alerting tool Sheahan, Paul (PCLN-NW) (Jun 05)
- Re: Best real-time alerting tool CJATeck (Jun 05)
- RE: Best real-time alerting tool Ryan Hill (Jun 05)
  - icmp i want to ignore Don (Jun 05)
    - Re: icmp i want to ignore Steve Scott (Jun 05)
    - Re: icmp i want to ignore Erek Adams (Jun 05)
- RE: Best real-time alerting tool Fraser Hugh (Jun 06)
- RE: Best real-time alerting tool Fraser Hugh (Jun 07)
- RE: Best real-time alerting tool John Ruff (Jun 09)