[Snort-users] Real time monitoring and/or notification?

Fraser Hugh hugh_fraser at ...2804...
Wed Oct 24 06:40:01 EDT 2001


We also use ACID for the analysis, but felt it important to maintain an
audit trail for events that warranted an alert. Some simple triggers in
PostgreSQL allow me to check alerts as Snort inserts them aqainst a table of
ones I'm interested in (the Swatch functionality), queue up a pager request,
and cut a trouble ticket in a PD system called DCL that also uses Postgres
as a backend. I augment the information provided by Snort with that provided
by Arpwatch, a logfile scanner to catch syslog entries from remote systems,
an snmptrap handle, and some software to generate "synthetic" alerts based
upon statistical analysis, using ACID to pull it all together, with each
non-Snort source appearing as an additional sensor. One of the benefits of
using the triggers in PostgreSQL is that I can apply the same
paging/trouble-ticket creating logic to any source of events I can shoe-horn
into the Snort database.

> -----Original Message-----
> From: Frank Reid [mailto:fcreid at ...691...]
> Sent: Tuesday, October 23, 2001 6:44 PM
> To: 'Sheahan, Paul (PCLN-NW)'; 'Snort List (E-mail)'
> Subject: RE: [Snort-users] Real time monitoring and/or notification?
> 
> 
> For human-readable near "real-time" monitoring, you might want to use
> ACID... I've found the "Last Few Alerts" view is a great way of seeing
> what's going on.  It uses the PHP refresh time variable defined in
> acid_conf.php, so active networks might need to set this to a 
> relatively
> low refresh time.
> 
> For email alerting, I've had excellent luck with Swatch.  Swatch is a
> generic (non-Snort specific) utility that monitors the system log
> looking for "trigger" keywords and, when found, send email containing
> the trigger line to a defined address.  In order to use it, 
> you'll need
> to log to the syslog (at least).  
> 
> What I've done (based on previous recommendations from this list) is
> create an alert type ("redalert", nominally) that sends alerts to both
> syslog and the MySQL database plugin.  In this manner, only alerts of
> high interest get logged.  In the text (msg:) block of the 
> alerts, I put
> a "trigger" keyword, e.g. "RedAlert", that Swatch awaits and notifies.
> 
> Search back a few weeks on this list (via www.deja.com) for "Snort
> Swatch alert" and you'll find a better discussion/explanation of the
> process.
> 
> Frank
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Sheahan,
> Paul (PCLN-NW)
> Sent: Tuesday, October 23, 2001 6:14 PM
> To: Snort List (E-mail)
> Subject: [Snort-users] Real time monitoring and/or notification?
> 
> 
> 
> Hello,
> 
> I was wondering if there were a tool available to allow real time
> monitoring
> of attacks in Snort? I was also looking for a tool to allow 
> notification
> (email, pager etc) with Snort? I would love to have this feature and
> would
> upgrade/convert to whatever version supports it. Anyone seen any tools
> that
> offer these features?
> 
> 
> Thanks,
> Paul
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list