Snort mailing list archives

Previous By Date Next
Previous By Thread Next

How do people generally trigger alerts?

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 11 Jun 2003 12:20:23 +1200
I've just read "Real-Time Alerting with Snort"
<URL:http://www.linuxsecurity.com/feature_stories/feature_story-144.html> -
which brought up some interesting ways in which to trigger alerts.

We've basically been doing what the article says for some time now
(syslog-ng + swatch + script to manage sending email/SMS or TAP pages), but
the author picked up on something I hadn't...

So far I've been rewriting rules that I want to trigger an action via
changing the "msg:" string to contain a string to which swatch responds.
This works but does mean I'm altering/adding rules that aren't in keeping
with the existing Snort ruleset. Their idea of use the Priority tag sounds a
lot better. However, they mentioned triggering swatch on "Priority: 1" - but
a MAJOR part of Snort's ruleset is "Priority: 1", so it sounds to me like an
"unused" priority would be a better choice.

So my questions are:

a) is there an even better way of doing this?
b> Would "Priority: 100" ever be used by the rulesets? If not, it seems like
   a good idea to me to post-process the rules, altering the priority to
   100+ for the rules you want to trigger off. You could use "100" for one
   set of people, "101" for another, etc
c) Does priority have any *real* value within Snort itself that fiddling
   with it would break?


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: