Snort mailing list archives

Previous By Date Next
Previous By Thread Next

swatch alternatives - sec

From: raft na <raft2200 () yahoo com>
Date: Wed, 23 Apr 2003 14:11:46 -0700 (PDT)
I would suggest SEC too http://kodu.neti.ee/~risto/sec/. Its a single perl script and config file, so very easy to get 
up and running. I was able to get "real time" email alerts and end-of-day emailed reports going fairly easily, but 
haven't tackled the "this IP is suddenly going beserk" type of alert yet (threshold on SEC jargon). As an example, the 
following sends an email with IP's and alert description when it sees a snort Prioirty 1 message in the log file. It 
also adds it to a list of Prioroty 1 alerts that gets emailed at the end of the day. (I'm no regex guru, there may be 
more elegant expressions, but it works w/ latest snort 2) 
# Detect the beginning of priority 1 attack from a source IP,

# and send a warning e-mail message that a new attack has begun;

# also create a context for storing detailed information about the attack

 

type=Single

ptype=RegExp

pattern=.*] (.*)\[Classification: (.*)\] \[Priority: 1.*} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*-> (\S+)

context=!ATTACK_P1_FROM_$3

continue=TakeNext

desc=P1 ALERT - $1 - $2 - started from $3 to $4

action=create ATTACK_P1_FROM_$3; add ALERT_P1_REPORT %t: %s; pipe '%t: %s' \

  /bin/mail -s 'SNORT: priority 1 attack from $3 (alert)' person () somewhere net

 

# For every priority 1 incident, add an entry to the context by its IP;

# if the IP has been quiet for 5 minutes, report the whole attack

 

type=Single

ptype=RegExp

pattern=.*] (.*)\[Classification: (.*)\] \[Priority: 1.*} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*-> (\S+)

context=ATTACK_P1_FROM_$3

continue=TakeNext

desc=P1 ALERT - $1 - $2 - started from $3 to $4

action=add ATTACK_P1_FROM_$3 %t: %s; set ATTACK_P1_FROM_$3 300 \

  ( report ATTACK_P1_FROM_$3 \

    /bin/mail -s 'SNORT: priority 1 attack from $3 (report)' person () somewhere net )
 
# send daily report about regular P1 alerts

 

type=Calendar

time=11 * * * *

desc=Sending alert report...

action=report ALERT_P1_REPORT \

    /bin/mail -s 'SNORT: daily P1 alert report' person () somewhere net; \

  delete ALERT_P1_REPORT
 ====


---------------------------------
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
Previous By Date Next
Previous By Thread Next

Current thread: