Re: Snort Alert Processing Survey

[Marcin Dulak <marcin.dulak () gmail com>]

For a toy example of alerting on snort alerts using prometheus time-series
database see http://seclists.org/snort/2017/q1/607

Marcin

On Wed, Mar 15, 2017 at 6:46 PM, Jack Pepper <
pepperjack () afferentsecurity com> wrote:

> I wrote my own output processor that talks to an escalation handler (also
> home grown).
>
> On Wed, Mar 15, 2017 at 11:29 AM, <wkitty42 () windstream net> wrote:
>
> > On 03/14/2017 07:50 PM, James Lay wrote:
> > > On Tue, 2017-03-14 at 13:48 -0700, m-one wrote:
> > > > 1.  I'm wondering how the vast millions of Snort Users are monitoring
> > > > Snort alerts?  So please, let's here it -- how are you answering the
> > > > question is my Snort application effective?  Where do you look to
> > > > examine Snort Alerts?
> > > tail -f snort.fast
> > > sguil for interesting hits (doesn't show portscany noise)
> >
> > over here we tail the alert file and parse it with an application... that
> > application could report to a database if one desired to go that route...
> > our
> > app is an active response tool that issues IP blocking rules based on its
> > configuration... tuning snort and the app is about the worst part but
> once
> > tuned, everything is very nice...
> >
> > --
> >   NOTE: No off-list assistance is given without prior approval.
> >         *Please keep mailing list traffic on the list* unless
> >         private contact is specifically requested and granted.
> >
> > ------------------------------------------------------------
> > ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!