[Snort-users] Snort reporting and alerting

Sid s_i_d_j at ...131...
Tue May 29 01:11:52 EDT 2001


The idea is real-time response i.e. within seconds of the attack happening,
the ability to react. One option is integrate the IDS with some kind of
firewall and allow dynamic reconfiguration of the firewall thru' the IDS but
this option could do more harm than good. Another is sending TCP_Resets, but
that would work only for TCP based exploits and not DoS or DDoS or UDP
stuff.

I was thinking more on the lines of getting paged as soon as i get hit. The
problem is there are far too many false positives and the number of alerts
per day is too many. I need some kind of solution where if there is some
persistent suspicious/threatening activity i get paged (if nothing else then
atleast to impress the managment ;) )

Siddhartha

----- Original Message -----
From: "Dragos Ruiu" <dr at ...381...>
To: "Sid" <s_i_d_j at ...131...>; <snort-users at lists.sourceforge.net>
Sent: Tuesday, May 29, 2001 6:42 AM
Subject: Re: [Snort-users] Snort reporting and alerting


> On Sun, 27 May 2001, Sid wrote:
> > Hi,
> >
> > I believe any IDS implementation is not very effective unless you have a
> > real time reporting/alerting mechanism and also for filtering out the
less
> > important alerts from the real threatening ones. So, i would like to
know
> > how do people using Snort are doing this. I am trying to put some perl
code
> > together for the same and would like suggestions on what kind of reports
and
> > in what format would be useful.
>
> Snort -> syslog and swatch is a nice combination if you absolutely must
> have that latest portscan address delivered to you right now..
>
> As far as real-time alerting.... it's cool if you can afford to have
someone
> watching those logs 24x7 but that is a luxury very few have.  Most people
> are happy if they even have a knowledgeable analyst sampling the
> alert logs periodically if even at all.
>
> BTW when-ever i hear the term real-time, I'm always reminded how
> easy to misuse that is... I think you mean low-latency alerting, because
> a daily e-mail summary of alerts is still "real-time" reporting.
>
> cheers,
> --dr


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-users mailing list