Snort mailing list archives
Re: Email
From: Bill Mathews <billford () billford com>
Date: Wed, 29 Aug 2012 20:16:31 -0400
You could always deploy OSSEC and let it alert for you. It understands snort logs just fine. On Aug 29, 2012 7:54 PM, "Greg Williams" <alphawebfx () gmail com> wrote:
If it were me, I would not do a db search, the database is already processing stuff. I would have scripts on all your sensors, monitor the alert log, and clean the alert log every 5 minutes when the grep is complete. Saves processing power by only searching the last 5 minutes instead of the entire db. On Aug 29, 2012, at 5:35 PM, Nicholas Horton <fivetenets () me com> wrote: Thanks Greg. I like that plan. I think I'm going to do the poor man's way. Now I just have to figure out if the snortbox should email or if I should 5 min cron job of the MySQL db and search for alerts n have that server email recent alerts and which sensor it came from. Nick On Aug 29, 2012, at 6:25 PM, Greg Williams <alphawebfx () gmail com> wrote: Nick, I use the enterprise version of Splunk for alerting this stuff, plus a lot of other things, but the older version of free Splunk, ~3.9 I think allowed for alerting. The free version of Splunk now doesn't include alerting unfortunately. I have unified2 going to BASE and the alert log so Splunk can read the alert log and based on my searches it alerts me. You could also always do a poor man's alerting system by outputting the alerts to your database and /var/log/snort/alert and grep'ing for your sid every 5 minutes then spit off a sendmail command via a cron job. On Wed, Aug 29, 2012 at 2:57 PM, Horton, Nicholas A - Merrifield, VA - Contractor <nicholas.a.horton () usps gov> wrote:Makes sense and honestly now that I think about it I probably won't want the remote snortbox to send an email plus the log file is in unified2 format. I have several snortboxes talking to a central location and I have Snorby up and running on a central server so I probably just need Snorby to somehow send me an alert based on an event into the database. Right now Snorby sends past reports but I'm also looking for a feature where the notifications can be more immediate. I started to think about the snortbox doing this immediate notification in email but it is already notifying by entering into the central mysql db. I just need this central db box running Snorby to kick off an email given a specific gid or sid. If Snorby isn't it for immediate or specific gid notifications i just need to find that add-on that can do it. Thanks again Joel, Nick ________________________________________ From: Joel Esler [jesler () sourcefire com] Sent: Wednesday, August 29, 2012 4:06 PM To: Nicholas Horton Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Email On Aug 29, 2012, at 3:45 PM, Nicholas Horton <fivetenets () me com<mailto: fivetenets () me com>> wrote: Is snort 2.9.2.3 capable of sending emails based off of alerts or is that something that should be handled by an add-on like swatch? If snort is capable where is the config for sending emails? It's definitely an add-on. Snort does not contain this native capability. Snort is an IDS, not an email generation program. :) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!