[Snort-users] AW: (Snort-users) Real time monitoring and/or notification?

sandro.poppi at ...3316... sandro.poppi at ...3316...
Tue Oct 23 22:39:07 EDT 2001


As Frank stated, swatch is your choice. You could also have a look at
http://www.lug-burghausen.org/projects/index.html#snort-stat where I also
documented the use of swatch.

Ciao,
Sandro

> -----Ursprüngliche Nachricht-----
> Von: "Frank Reid" <fcreid at ...691...> at internet
> Gesendet: Dienstag, 23. Oktober 2001 18:44
> An: Paul.Sheahan at ...2218... at Internet;
> snort-users at lists.sourceforge.net at Internet
> Betreff: RE: [Snort-users] Real time monitoring and/or notification?
>
>
> For human-readable near "real-time" monitoring, you might want to use
> ACID... I've found the "Last Few Alerts" view is a great way of seeing
> what's going on.  It uses the PHP refresh time variable defined in
> acid_conf.php, so active networks might need to set this to a
> relatively
> low refresh time.
>
> For email alerting, I've had excellent luck with Swatch.  Swatch is a
> generic (non-Snort specific) utility that monitors the system log
> looking for "trigger" keywords and, when found, send email containing
> the trigger line to a defined address.  In order to use it,
> you'll need
> to log to the syslog (at least).
>
> What I've done (based on previous recommendations from this list) is
> create an alert type ("redalert", nominally) that sends alerts to both
> syslog and the MySQL database plugin.  In this manner, only alerts of
> high interest get logged.  In the text (msg:) block of the
> alerts, I put
> a "trigger" keyword, e.g. "RedAlert", that Swatch awaits and notifies.
>
> Search back a few weeks on this list (via www.deja.com) for "Snort
> Swatch alert" and you'll find a better discussion/explanation of the
> process.
>
> Frank
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Sheahan,
> Paul (PCLN-NW)
> Sent: Tuesday, October 23, 2001 6:14 PM
> To: Snort List (E-mail)
> Subject: [Snort-users] Real time monitoring and/or notification?
>
>
>
> Hello,
>
> I was wondering if there were a tool available to allow real time
> monitoring
> of attacks in Snort? I was also looking for a tool to allow
> notification
> (email, pager etc) with Snort? I would love to have this feature and
> would
> upgrade/convert to whatever version supports it. Anyone seen any tools
> that
> offer these features?
>
>
> Thanks,
> Paul
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>





More information about the Snort-users mailing list