Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: RES: sending alerts by email / active response Win2K system [RMC-J7FLJI4]

From: "Michael Steele" <michaels () silicondefense com>
Date: Tue, 28 Jan 2003 13:47:28 -0800
Ken,

Windows, Nope :( Does one thing and does it well, maybe a conversion by someone in the future.

-Michael
-- 
 Michael Steele | System Engineer / Support Technician     
 mailto:michaels () silicondefense com    
 Silicon Defense: IDS solutions - http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org


-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
Bradley, Kenneth TSgt - Fis 33
Sent: Tuesday, January 28, 2003 1:08 PM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] RES: sending alerts by email / active response Win2K system [RMC-J7FLJI4]

There's a tool called "swatch"
(http://www.oit.ucsb.edu/~eta/swatch/swatch.html) that I use in a Linux
environment. I'm not sure if there's a windows port available, however, this
tools watches files for specific text then forks a system process like mail,
wall, or anything you can dream of. I've seen this work really well in
hybrid (*nix/Windows) environments. If you can't find a good tools like
swatch in the winworld, consider a standalone Linux box. With tools like
Samba and mail, you should not have any problems communicating between these
two worlds.

Ken Bradley

-----Original Message-----
From: Romulo M. Cholewa [mailto:rmc () rmc eti br]
Sent: Tuesday, January 28, 2003 2:22 PM
To: Michael Steele; snort-users () lists sourceforge net
Subject: [Snort-users] RES: sending alerts by email / active response
Win2K system [RMC-J7FLJI4]


Hi Michael,
 
That's good news. With Syslog Daemon, I can configure it to submit the snort
alert log to the system event log. Then, I can use an app like EventWatchNT,
to send specific alerts to an email address.
 
You can find EventWatchNT here:
 
http://www.webattack.com/get/eventwatch.shtml
 
When I get to the lab I'll test it. Thanks! 
 
Romulo M. Cholewa.
 
 

        -----Mensagem original----- 
        De: Michael Steele [mailto:michaels () silicondefense com] 
        Enviada: ter 1/28/2003 13:44 
        Para: Romulo M. Cholewa; snort-users () lists sourceforge net 
        Cc: 
        Assunto: RE: sending alerts by email / active response Win2K system
[RMC-J7FLJI4]
        
        

        Romulo, 

        You will need something like Syslog Daemon and run the alerts
through that. 
        It has an option of emailing on certain triggers. If you find a free
tool 
        that works, please let us windows folks know. The alerts can be sent
to the 
        Event Viewer, application log in Windows and if you can find
something to 
        parse that file and alert, that would be great. 

        -Michael 
        -- 
         Michael Steele | System Engineer / Support Technician     
         mailto:michaels () silicondefense com    
         Silicon Defense: IDS solutions - http://www.silicondefense.com 
         Snort: Open Source Network IDS - http://www.snort.org 


        -----Original Message----- 
        From: snort-users-admin () lists sourceforge net 
        [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Romulo
M. 
        Cholewa 
        Sent: Monday, January 27, 2003 8:05 PM 
        To: snort-users () lists sourceforge net 
        Subject: [Snort-users] sending alerts by email / active response
Win2K 
        system [RMC-J7FLJI4] 

        Hi All, 

        Sorry about these bunch of newbie questions. I'm in the path of
evaluating 
        snort, and it's being used on Windows 2000 Server. Everything is
running 
        really smooth. I had a BSOD, but I think it's related to the packet
capture 
        driver version. 

        I would like to ask experienced snort users, if there are any ways
of 
        emailing some alerts (maybe a perl script of some sort that would
parse the 
        alert.ids file and send emails if it finds a specific alert). Also
if there 
        are any ways of automating the process of filtering out dynamically
some 
        kinds of attacks. I already know that it will not be easy with
Windows 2000, 
        but maybe snort can be used together with some firewall / filtering
product 
        available. Currently using Zone Alarm Pro. 

        If these things are possible, I would like to thank in advance if
someone 
        could point me to the right direction. 

        Thanks again, 

        Romulo M. Cholewa 
        Home : http://www.rmc.eti.br 
        Forum: http://zeus.rmc.eti.br/forum 
        PGP Keys Available @ website. 

            "Those who make peaceful revolution impossible will make    
                     violent revolution inevitable." -- JFK.             
                                                                          
                                                                          


        ------------------------------------------------------- 
        This SF.NET email is sponsored by: 
        SourceForge Enterprise Edition + IBM + LinuxWorld
http://www.vasoftware.com 
        _______________________________________________ 
        Snort-users mailing list 
        Snort-users () lists sourceforge net 
        Go to this URL to change user options or unsubscribe: 
        https://lists.sourceforge.net/lists/listinfo/snort-users 
        Snort-users list archive: 
        http://www.geocrawler.com/redir-sf.php3?list 



NHSDM隊X'u丼
xZ+'⒵+⨱ >.)谣j+�Тg)'䀆iႃ0㚸pjdn
x%R㆞ͺX(옺~zwかhQ͡Z

ب+䠺{.n+䈉l༭b䠲,
y+�޷b踲?+-w     ۬zͺX܆+ކi蛁0
r
oy₯aybሲ


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list





-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: