[Snort-users] Real time monitoring and/or notification?
fcreid at ...691...
Tue Oct 23 15:47:01 EDT 2001
For human-readable near "real-time" monitoring, you might want to use
ACID... I've found the "Last Few Alerts" view is a great way of seeing
what's going on. It uses the PHP refresh time variable defined in
acid_conf.php, so active networks might need to set this to a relatively
low refresh time.
For email alerting, I've had excellent luck with Swatch. Swatch is a
generic (non-Snort specific) utility that monitors the system log
looking for "trigger" keywords and, when found, send email containing
the trigger line to a defined address. In order to use it, you'll need
to log to the syslog (at least).
What I've done (based on previous recommendations from this list) is
create an alert type ("redalert", nominally) that sends alerts to both
syslog and the MySQL database plugin. In this manner, only alerts of
high interest get logged. In the text (msg:) block of the alerts, I put
a "trigger" keyword, e.g. "RedAlert", that Swatch awaits and notifies.
Search back a few weeks on this list (via www.deja.com) for "Snort
Swatch alert" and you'll find a better discussion/explanation of the
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Sheahan,
Sent: Tuesday, October 23, 2001 6:14 PM
To: Snort List (E-mail)
Subject: [Snort-users] Real time monitoring and/or notification?
I was wondering if there were a tool available to allow real time
of attacks in Snort? I was also looking for a tool to allow notification
(email, pager etc) with Snort? I would love to have this feature and
upgrade/convert to whatever version supports it. Anyone seen any tools
offer these features?
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users