[Snort-users] alerting admin via email or sms

Gregor Binder gbinder at ...462...
Mon Oct 30 12:03:00 EST 2000


A.L.Lambert on Mon, Oct 30, 2000 at 06:42:30AM -0600:

Hi,

> 	Just my $0.02, but are you sure you really want to do that?  Next
> time a newbie script kiddie points his copy of Nessus (or any other
> similarly noisy scanning tool) at one of your boxes (or you accidentally
> put in a rule that catches a lot more than you wanted (as I've done to
> myself more than once :) ), you're e-mail inbox will be thouroughly
> mailbombed, and/or your SMS provider will get a kick out of the surcharges
> you'll rack up from the message flood it will cause. (not to mention the
> fact that your IDS box will get heavily loaded trying to generate all
> those e-mail's/SMS messages).

wrap your alerting command (mail, SMS, etc.) inside a small script
to take care that some reasonable treshold is not exceeded. From my
point of view, I would say that 30min would be a good treshold for
that, but in reality it will depend on the response time that is
expected from you.

As I have outlined in the past, I use syslog-ng to do similar things.

Since forking for every alert would still be very expensive, it is
necessary to reduce the number of events that would trigger this. Most
people will find at least those alerts containing the words
"SIGNATURE", "BUGTRAQ" or "Virus" interesting. Others if you run more
obscure services/applications than I do. :)

I have thought about putting "DoS" in the list as well, but I have yet
to see snort in a serious DoS until I choose to add a possibly
additional DoS (fork bomb) to the system (I don't know how many alert
messages an actual DDoS generates).

Note that I only use this to bring really bad events to my attention
as quick as possible. I still browse through the actual logs, but
these are also split up into "different priority" files. :)

Regards,
  Gregor.

-- 
Gregor Binder  <gbinder at ...462...>  http://www.sysfive.com/~gbinder/
sysfive.com GmbH             UNIX. Networking. Security. Applications.
Gaertnerstrasse 125b, 20253 Hamburg, Germany       TEL +49-40-63647482



More information about the Snort-users mailing list