RE: Setting up notifications in Snort

["Alan" <ids () san rr com>]

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Harper, Patrick
Sent: Thursday, April 08, 2004 1:37 PM
To: pmartin () hgvc com; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Setting up notifications in Snort

4 of us here in Dallas want to work on a perl script that can be run as a
cron job and mail a summery of events form a specified time period.  but
there is no time frame on that.  you can use swatch for e-mail alerts.  I
tried it some time ago but have slept since then and do not remember much
about it.

For your second question that is dependent on your environment, the location
of your sensors, and what you want to see.  do you want to see only alerts
for software that you are running (i.e. apache only because you have no iis,
then turn off all the iis rules, do that for the entire rule set).  Do you
have a sensor on the outside of your firewall and want to see all malicious
traffic, turn all of them)  I personally prefer a trim rule set that matches
what I have on my network.

Patrick S. Harper | CISSP RHCT MCSE
Information Security Engineer
patrick.harper () phns com


  _____

From: Paul Martin [mailto:pmartin () hgvc com]
Sent: Thursday, April 08, 2004 12:02 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Setting up notifications in Snort
I have recently implemented Snort v2.1.2 on 2 boxes, reporting to one
central MySQL database, using ACID for logfile analysis  We'd like to take a
more proactive stance towards intrusion detection and have a way to have
Snort (or a plugin) notify us via SNMP/email/SMS/etc whenever a certain
condition is met.  I've looked at SnortSNMP, but it doesn't seem to have
anything beyond 2.1.0 as far as functionality.  I'd hate to drop back
software versions for the sake of SNMP, but will if I have to.  My question
is twofold:

1)       What plugins are out there that will allow Snort to notify me when
a certain condition is met?  Don't care how (SNMP/email/whatever), just need
a method of notification.
2)       Does anyone have a recommended setup for Snort?  I know that it's
going to be unique to every situation, but there have to be some accepted
practices in terms of setup.  As it stands, everything that comes across the
wire seems to be getting logged, which is good, but I need to trim it down.
Thoughts, anyone?

Thanks for any assistance.

Paul Martin
Network Technician




Disclaimer:
This electronic message, including any attachments, is confidential and
intended solely for use of the intended recipient(s). This message may
contain information that is privileged or otherwise protected from
disclosure by applicable law. Any unauthorized disclosure, dissemination,
use or reproduction is strictly prohibited. If you have received this
message in error, please delete it and notify the sender immediately.