Snort mailing list archives
Re: Real Time Alert and Variables
From: "Michael Steele" <michaels () winsnort com>
Date: Sun, 27 Jan 2013 23:45:05 -0500
I'm intrigued. So I add to my snort.conf output alert_fast: alert.ids I can use Splunk to watch the alert.ids file and trigger on patterns? Best regards, Michael...
-----Original Message----- From: Greg Williams [mailto:gwillia5 () uccs edu] Sent: Sunday, January 27, 2013 4:11 PM To: Nicholas Horton Cc: Snort Users Subject: Re: [Snort-users] Real Time Alert and Variables Absolutely. It's an amazing piece of software. Nicholas Horton <fivetenets () me com> wrote: Perfect. Thanks Greg. Ill take a look. I use snorby for alert gathering but just need another piece for
performing
automated tasks based on an alert. Will Splunk pass variables to the script such as the source IP from an
alert?
Nick On Jan 27, 2013, at 3:19 PM, Greg Williams <gwillia5 () uccs edu> wrote:Nick, I use Splunk to do this. I feed Splunk the fast alerts and the
either
send emails or run scripts off specific matched criteria. Example shutdown
a
port based on more than 5 outbound ZeroAccess alerts in 5 minutes.Nicholas Horton <fivetenets () me com> wrote: Is this referring to alert, drop, log, pass, etc? If so are you saying its possible that I can create a type to have to
execute a
command to the shell based on a specific alert?This is what I'm looking for. For example if rule 1:2924 gets triggered I not only want to alert me
about it
but actually kick of a script to so something in case it's in the middle
of the
night or I'm simply at lunch. To automate certain known alerts that are harmful and could spread though the LAN. Maybe I would even shut off the switch port that the device is connected to if it has virus.Does snort have this ability? Can barnyard2? I like using abilities of
a given
program and would prefer not adding another layer of complexity to the equation such as swatch but if that is what I need ill use it.What is the best practice for having scripts kick off to the shell based
on
specific alerts?Thanks again Nick On Jan 25, 2013, at 12:08 PM, Nicholas Horton<fivetenets () me com<mailto:fivetenets () me com>> wrote:Perfect. Thanks. Ill take a look in the manual. Nick On Jan 25, 2013, at 12:00 PM, Y M<snort () outlook com<mailto:snort () outlook com>> wrote:You can also use custom action types. You define them in snort.conf
file,
and use the new custom action type with your rules. Sorry can't provide resources at the moment, but it should be in the manual.YM ________________________________ From: Nicholas Horton<mailto:fivetenets () me com> Sent: 1/25/2013 7:26 PM To: Snort Users<mailto:snort-users () lists sourceforge net> Subject: [Snort-users] Real Time Alert and Variables Is swatch still the best, only, current solution to kick off a script
with
variables such as source ip based on a specific snort alert?Nick ---------------------------------------------------------------------- -------- Master Visual Studio, SharePoint, SQL, ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users@lists.sourceforge .net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest
Snort
news!---------------------------------------------------------------------- -------- Master Visual Studio, SharePoint, SQL, ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users@lists.sourceforge .net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest
Snort
news!
---------------------------------------------------------------------------- --
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort
news! ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Real Time Alert and Variables Nicholas Horton (Jan 25)
- <Possible follow-ups>
- Re: Real Time Alert and Variables Y M (Jan 25)
- Re: Real Time Alert and Variables Nicholas Horton (Jan 25)
- Re: Real Time Alert and Variables Nicholas Horton (Jan 27)
- Re: Real Time Alert and Variables Greg Williams (Jan 27)
- Re: Real Time Alert and Variables Nicholas Horton (Jan 27)
- Re: Real Time Alert and Variables Greg Williams (Jan 27)
- Re: Real Time Alert and Variables Nicholas Horton (Jan 27)
- Re: Real Time Alert and Variables Michael Steele (Jan 27)
- Re: Real Time Alert and Variables Greg Williams (Jan 27)
- Re: Real Time Alert and Variables Michael Steele (Jan 31)
- Message not available
- Re: Real Time Alert and Variables Michael Steele (Jan 31)
- Re: Real Time Alert and Variables Justin (Jan 31)
- Re: Real Time Alert and Variables Nicholas Horton (Jan 25)
- Re: Real Time Alert and Variables Nicholas Horton (Feb 06)
- Re: Real Time Alert and Variables Joel Esler (Feb 06)
- Re: Real Time Alert and Variables Nicholas Horton (Feb 07)
- Re: Real Time Alert and Variables Jeremy Hoel (Feb 07)
- Re: Real Time Alert and Variables Lay, James (Feb 07)
- Re: Real Time Alert and Variables Nicholas Horton (Feb 07)