[Snort-users] Win32-snort users

H Carvey keydet89 at ...131...
Thu Jul 27 05:57:41 EDT 2000


Brent...

Okay...I'll add something like that to my ToDo list
for when I get back from Usenix.

Here's how I will approach it...the script runs, and
polls the EventLog every X seconds (I'll leave a place
holder for you to change that as necessary), and 
emails any new snort alerts to you...you can just
leave
this running in the background...or maybe run it as
a service.

What do you think?

Also, what do you do for the Navy?  I used to be in
the
military...

> Yes, and a big vote of thanks to you and Martin. I
> run Snort version 1.6 on
> NT and it runs solid, even after a very heavy NMAP
> beating. I have not tried
> version 1.6.3 yet but will soon. We may also try it
> very soon on W2k
> advanced server running as a standalone IDS for web
> server applications. If
> we do I will let you know how it went.
> 
> Thanks again to you, Martin, and all the other Snort
> users for producing,
> improving, porting, and sharing such a wealth of
> valuable information.
> 
> Sincerely,
> 
> Brent W. Erickson
>  
> 
> > -----Original Message-----
> > From:	Mike [SMTP:Mike at ...164...]
> > Sent:	Wednesday, July 26, 2000 8:11 PM
> > To:	H Carvey; Snort Users
> > Subject:	Re: [Snort-users] Win32-snort users
> > 
> > Wow, people actually use snort for WIN32 ;-)
> > 
> > Anyone running snort-WIN32 on Win2k Advanced
> Server?
> > 
> > Michael Davis
> > Chief Technical Officer
> > Data Nerds, LLC.
> > http://www.datanerds.net
> > 
> > > Brent,
> > > 
> > > Take a look at the script I have posted at:
> > > 
> > > http://patriot.net/~carvdawg/perl.html
> > > 
> > > It's called 'snortrpt.pl'.  It's easily
> customizeable
> > > to your file structure...where nmapNT is
> sitting, etc.
> > > 
> > > You'll also find scripts for pulling the
> EventLogs,
> > > etc.
> > > 
> > > Regarding the emailing you of certain alerts...I
> am 
> > > working on such a script...unfortunately, I have
> found
> > > that the Win32::ChangeNotify module doesn't work
> with
> > > the EventLog files.  So, the only immediate,
> short-
> > > term solution I can offer is to write you script
> that 
> > > polls the EventLog (or multiple EventLogs) every
> 60 or
> > > so seconds, and will email you if certain alerts
> are
> > > found.  What I want to do is write a script that
> will
> > > respond when an event is generated, rather than
> > > polling
> > > the 'Logs.
> > > 
> > > I just updated my alert file with several new
> entries
> > > from the most recent rule base...I've been
> getting
> > > some
> > > Sub7 scans lately and want to see what else I'm 
> > > getting...
> > > 
> > > Carv
> > > 
> > > > I have also been using Snort both on Mandrake
> Linux
> > > > and Win32. 
> > > > 
> > > > I would be very interested in finding Perl
> scripts
> > > > to organize alerts in a
> > > > report and also have a tool or script to
> e-mail me
> > > > during certain alerts.
> > > > 
> > > > Right now all my alerts go into the NT event
> viewer.
> > > > I would like to run
> > > > Snort with a highly customized rule set on a
> web
> > > > server in our DMZ and have
> > > > the script e-mail me during certain alerts.
> > > 
> > > 
> > >
> __________________________________________________
> > > Do You Yahoo!?
> > > Get Yahoo! Mail - Free email you can access from
> anywhere!
> > > http://mail.yahoo.com/
> > > 
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > >
>
http://lists.sourceforge.net/mailman/listinfo/snort-users
> > > 
> > 
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> >
>
http://lists.sourceforge.net/mailman/listinfo/snort-users
> 


__________________________________________________
Do You Yahoo!?
Get Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/




More information about the Snort-users mailing list