Re: Real Time Alert and Variables

[Nicholas Horton <fivetenets () me com>]

Martin,

I added topic "Snort Instant Alert and Instant Action". 

Thanks for any help,
Nick

On Feb 11, 2013, at 9:54 PM, Martin Holste <mcholste () gmail com> wrote:

> I'll speak up regarding ELSA, as the open source project owner.  You can monitor logs (like Snort alerts) very easily 
> for generic things like "trojan" or "exploit kit" or more advanced queries which mix proxy logs with Snort alerts to 
> find correlated alerts like: "user_agent:java groupby:srcip | subsearch(sig_msg:trojan)" and then send that to a 
> connector, like email alerts, which is built-in.  You can also easily write your own plugin in a few lines of Perl 
> (or whatever language you want, then invoke from Perl) to do more advanced things, like shutdown ports, login to web 
> apps, etc.  If you want, you can post your specific use case over on the ELSA mailing list 
> (enterprise-log-search-and-archive.googlegroups.com) and I'll write the plugin for you.
>
>
> On Thu, Feb 7, 2013 at 11:11 AM, Nicholas Horton <fivetenets () me com> wrote:
> > Thanks Jeremy. Thanks James.
> >
> > I take a look at them.
> >
> > Nick
> >
> > On Feb 7, 2013, at 12:01 PM, "Lay, James" <james.lay () wincofoods com> wrote:
> >
> > > -----Original Message-----
> > > From: Jeremy Hoel [mailto:jthoel () gmail com]
> > > Sent: Thursday, February 07, 2013 9:50 AM
> > > To: Nicholas Horton
> > > Cc: Michael Steele; Snort Users
> > > Subject: Re: [Snort-users] Real Time Alert and Variables
> > >
> > > You might want to check out ELSA and greylog.  We use greylog to get
> > > emails from logs that go to it.  They are kind of  log viewers that
> > > are both getting better.
> > >
> > >
> > >
> > >
> > > WOTS (perl) and SEC (Simple Event Correlator) come to mind as well.
> > >
> > > James
> > >
> > > ------------------------------------------------------------------------------
> > > Free Next-Gen Firewall Hardware Offer
> > > Buy your Sophos next-gen firewall before the end March 2013
> > > and get the hardware for free! Learn more.
> > > http://p.sf.net/sfu/sophos-d2d-feb
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> >
> > ------------------------------------------------------------------------------
> > Free Next-Gen Firewall Hardware Offer
> > Buy your Sophos next-gen firewall before the end March 2013
> > and get the hardware for free! Learn more.
> > http://p.sf.net/sfu/sophos-d2d-feb
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!