Snort mailing list archives
RE: RES: sending alerts by email / active response Win2K system [RMC-J7FLJI4]
From: "Michael Steele" <michaels () silicondefense com>
Date: Tue, 28 Jan 2003 13:47:28 -0800
Ken, Windows, Nope :( Does one thing and does it well, maybe a conversion by someone in the future. -Michael -- Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Bradley, Kenneth TSgt - Fis 33 Sent: Tuesday, January 28, 2003 1:08 PM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] RES: sending alerts by email / active response Win2K system [RMC-J7FLJI4] There's a tool called "swatch" (http://www.oit.ucsb.edu/~eta/swatch/swatch.html) that I use in a Linux environment. I'm not sure if there's a windows port available, however, this tools watches files for specific text then forks a system process like mail, wall, or anything you can dream of. I've seen this work really well in hybrid (*nix/Windows) environments. If you can't find a good tools like swatch in the winworld, consider a standalone Linux box. With tools like Samba and mail, you should not have any problems communicating between these two worlds. Ken Bradley -----Original Message----- From: Romulo M. Cholewa [mailto:rmc () rmc eti br] Sent: Tuesday, January 28, 2003 2:22 PM To: Michael Steele; snort-users () lists sourceforge net Subject: [Snort-users] RES: sending alerts by email / active response Win2K system [RMC-J7FLJI4] Hi Michael, That's good news. With Syslog Daemon, I can configure it to submit the snort alert log to the system event log. Then, I can use an app like EventWatchNT, to send specific alerts to an email address. You can find EventWatchNT here: http://www.webattack.com/get/eventwatch.shtml When I get to the lab I'll test it. Thanks! Romulo M. Cholewa. -----Mensagem original----- De: Michael Steele [mailto:michaels () silicondefense com] Enviada: ter 1/28/2003 13:44 Para: Romulo M. Cholewa; snort-users () lists sourceforge net Cc: Assunto: RE: sending alerts by email / active response Win2K system [RMC-J7FLJI4] Romulo, You will need something like Syslog Daemon and run the alerts through that. It has an option of emailing on certain triggers. If you find a free tool that works, please let us windows folks know. The alerts can be sent to the Event Viewer, application log in Windows and if you can find something to parse that file and alert, that would be great. -Michael -- Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Romulo M. Cholewa Sent: Monday, January 27, 2003 8:05 PM To: snort-users () lists sourceforge net Subject: [Snort-users] sending alerts by email / active response Win2K system [RMC-J7FLJI4] Hi All, Sorry about these bunch of newbie questions. I'm in the path of evaluating snort, and it's being used on Windows 2000 Server. Everything is running really smooth. I had a BSOD, but I think it's related to the packet capture driver version. I would like to ask experienced snort users, if there are any ways of emailing some alerts (maybe a perl script of some sort that would parse the alert.ids file and send emails if it finds a specific alert). Also if there are any ways of automating the process of filtering out dynamically some kinds of attacks. I already know that it will not be easy with Windows 2000, but maybe snort can be used together with some firewall / filtering product available. Currently using Zone Alarm Pro. If these things are possible, I would like to thank in advance if someone could point me to the right direction. Thanks again, Romulo M. Cholewa Home : http://www.rmc.eti.br Forum: http://zeus.rmc.eti.br/forum PGP Keys Available @ website. "Those who make peaceful revolution impossible will make violent revolution inevitable." -- JFK. ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list NHSDM隊X'u丼 xZ+'⒵+⨱ >.)谣j+�Тg)'䀆iႃ0㚸pjdn x%R㆞ͺX(옺~zwかhQ͡Z ب+䠺{.n+䈉l༭b䠲, y+�b踲?+-w ۬zͺX܆+ކi蛁0 r oy₯aybሲ ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: RES: sending alerts by email / active response Win2K system [RMC-J7FLJI4] Bradley, Kenneth TSgt - Fis 33 (Jan 28)
- RE: RES: sending alerts by email / active response Win2K system [RMC-J7FLJI4] Michael Steele (Jan 28)