RE: Setting up notifications in Snort

["Noble, Kevin" <Kevin.Noble () icn siemens com>]

SEC is very powerful, we use with Nagios, Snort, and other tools to look at
key events over time and have it make decisions.  Good coding is critical to
success, if you do it wrong you will wake up at 3AM because of some server
automatic discovery tool is looking for a printer.  
 
-Kevin
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Alan
Sent: Friday, 09 April, 2004 4:08 AM
To: pmartin () hgvc com
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Setting up notifications in Snort


I would recommend SEC (Simple Event Correlator)
http://kodu.neti.ee/~risto/sec/ <http://kodu.neti.ee/~risto/sec/>  for
alerting. It is more powerful (but harder to use) then Swatch. They way I
have my Snort box set-up is to alert me by email when certain priority
alerts come up so I can respond to it ASAP. Please be warned you will need
to know PERL regular expressions to use SEC effectively. 
 
 
 
-Alan 
 
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Harper, Patrick
Sent: Thursday, April 08, 2004 1:37 PM
To: pmartin () hgvc com; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Setting up notifications in Snort
 
4 of us here in Dallas want to work on a perl script that can be run as a
cron job and mail a summery of events form a specified time period.  but
there is no time frame on that.  you can use swatch for e-mail alerts.  I
tried it some time ago but have slept since then and do not remember much
about it.  
 
For your second question that is dependent on your environment, the location
of your sensors, and what you want to see.  do you want to see only alerts
for software that you are running (i.e. apache only because you have no iis,
then turn off all the iis rules, do that for the entire rule set).  Do you
have a sensor on the outside of your firewall and want to see all malicious
traffic, turn all of them)  I personally prefer a trim rule set that matches
what I have on my network.
 
Patrick S. Harper | CISSP RHCT MCSE
Information Security Engineer
patrick.harper () phns com 
 
 

  _____  

From: Paul Martin [mailto:pmartin () hgvc com] 
Sent: Thursday, April 08, 2004 12:02 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Setting up notifications in Snort
I have recently implemented Snort v2.1.2 on 2 boxes, reporting to one
central MySQL database, using ACID for logfile analysis  We'd like to take a
more proactive stance towards intrusion detection and have a way to have
Snort (or a plugin) notify us via SNMP/email/SMS/etc whenever a certain
condition is met.  I've looked at SnortSNMP, but it doesn't seem to have
anything beyond 2.1.0 as far as functionality.  I'd hate to drop back
software versions for the sake of SNMP, but will if I have to.  My question
is twofold:
 
1)       What plugins are out there that will allow Snort to notify me when
a certain condition is met?  Don't care how (SNMP/email/whatever), just need
a method of notification.
2)       Does anyone have a recommended setup for Snort?  I know that it's
going to be unique to every situation, but there have to be some accepted
practices in terms of setup.  As it stands, everything that comes across the
wire seems to be getting logged, which is good, but I need to trim it down.
Thoughts, anyone?
 
Thanks for any assistance.
 
Paul Martin
Network Technician




Disclaimer:
This electronic message, including any attachments, is confidential and
intended solely for use of the intended recipient(s). This message may
contain information that is privileged or otherwise protected from
disclosure by applicable law. Any unauthorized disclosure, dissemination,
use or reproduction is strictly prohibited. If you have received this
message in error, please delete it and notify the sender immediately.