[Snort-users] Best real-time alerting tool
hugh_fraser at ...2804...
Thu Jun 6 06:59:03 EDT 2002
As is often the case, it depends upon how much budget you have to spend on
the solution. There are very good commercial solutions (NetCool is one I've
seen in action; expensive, but very comprehensive and would do everything
you've asking for).
On the assumption that you're using Snort because it's both an excellent
tool and inexpensive to deploy, I'll recommend ACID as an analysis and
real-time display tool. But I prefer exception reporting, so I've configured
Snort to log to a database, and have developed some scripts and triggers to
watch events as they occur and page/email me if I've flagged them in an
additional database table. Nothing terribly sophisticated. Paging is handled
using Hylafax. I've also written some simple perl scripts to incorporate
SNMP events from a commercial IDS we're using, and a syslog handler to
process W2K and NT events forwarded through a syslog service. These
non-Snort events all get munged and inserted into the database to be
analyzed by ACID.
If Snort is configured to log to a database, it will support multiple
sensors, and ACID can be used to some correlation. If, by correlation, you
mean more sophisticated functions to do event reduction, suppression, etc.,
then there's not much non-commercial software available. SEC (Simple Event
Correlation) can do some of this, but it's not well integrated into other
tools. I'm currently playing with some statistical analysis (control chart
theory) to watch for changes in behaviour, and have good results sifting
through the thousands of events I see each day to pick out the handful of
Hope this helps.
> I'm starting research for the best real time alerting tool
> for Snort and
> want to get feedback from everyone. I'm looking for the
> following features,
> can anyone recommend a product or products? I need these features:
> * Real time window where I can watch alerts as they occur
> * Real time alerting option via email and/or pager for
> alerts I choose
> * Best tool for correlation and historical analysis of data across
> multiple Snort sensors
> Paul Sheahan
> Manager of Information Security
> paul.sheahan at ...2218...
More information about the Snort-users