[Snort-users] Best real-time alerting tool
john at ...5909...
Sun Jun 9 09:14:02 EDT 2002
One should certainly look into PureSecure from Demarc. It utilizes SNORT,
Apache, & MySQL. All the functionality of ACID is their along with
configuration of rules, and sensors themselves...all from the Web interface.
It also includes Alert functionality for Snort alerts and the availability
(up-time) of critical services (HTTP/S, DNS,...etc). Note that the product
requires purchasing for commercial use (Enterprise Edition), but the Personal
Edition for home use is free. In my opinion it is ACID on steroids.
You can read more about the product here: http://www.demarc.com
Also you can visit my deployment on my home network here:
Click "Anonymous" at the Login screen. You will not be able to view rule and
alerting configs bur you can email me if you would like a login for that.
GnuPG Public Key: https://www.dndlabs.net/pgpkey/listing.php
Key Fingerprint = 73D0 EDCC D5ED A6C0 1324 A85E 4957 D3C6 FA6C F3AE
From: Fraser Hugh <hugh_fraser at ...2804...>
To: "Snort List (E-mail)" <snort-users at lists.sourceforge.net>,
"'paul.sheahan at ...2218...'" <paul.sheahan at ...2218...>
Subject: RE: [Snort-users] Best real-time alerting tool
Date: Thu, 6 Jun 2002 09:58:32 -0400
As is often the case, it depends upon how much budget you have to spend on
the solution. There are very good commercial solutions (NetCool is one I've
seen in action; expensive, but very comprehensive and would do everything
you've asking for).
On the assumption that you're using Snort because it's both an excellent
tool and inexpensive to deploy, I'll recommend ACID as an analysis and
real-time display tool. But I prefer exception reporting, so I've configured
Snort to log to a database, and have developed some scripts and triggers to
watch events as they occur and page/email me if I've flagged them in an
additional database table. Nothing terribly sophisticated. Paging is handled
using Hylafax. I've also written some simple perl scripts to incorporate
SNMP events from a commercial IDS we're using, and a syslog handler to
process W2K and NT events forwarded through a syslog service. These
non-Snort events all get munged and inserted into the database to be
analyzed by ACID.
If Snort is configured to log to a database, it will support multiple
sensors, and ACID can be used to some correlation. If, by correlation, you
mean more sophisticated functions to do event reduction, suppression, etc.,
then there's not much non-commercial software available. SEC (Simple Event
Correlation) can do some of this, but it's not well integrated into other
tools. I'm currently playing with some statistical analysis (control chart
theory) to watch for changes in behaviour, and have good results sifting
through the thousands of events I see each day to pick out the handful of
Hope this helps.
> I'm starting research for the best real time alerting tool
> for Snort and
> want to get feedback from everyone. I'm looking for the
> following features,
> can anyone recommend a product or products? I need these features:
> * Real time window where I can watch alerts as they occur
> * Real time alerting option via email and/or pager for
> alerts I choose
> * Best tool for correlation and historical analysis of data across
> multiple Snort sensors
> Paul Sheahan
> Manager of Information Security
> paul.sheahan at ...2218...
More information about the Snort-users