[Snort-users] RE: Alerting Snort (sending alert through pager)

Wirth, Jeff WirthJe at ...4876...
Fri May 3 09:26:05 EDT 2002


From: Alwin Raymundo [mailto:alrayworld at ...131...]
> Hi Jeff,

Hello Alwin...

> 
> I'm reading your response regarding the "Alerting
> snort using swatch".  Im very interested regarding
> sending an email or page to my RIM.
> 
> I look at the snort FAQ but I cant find detailed
> information regarding ATTACK RESPONSE I know this
> alert will not create a false positive alert.
             ^^^
Well, I wouldn't go that far...I've had a *few* (luckily not at 2:00 am, yet
;-), but I am willing to live with this..

> 
> Can you give me some direction or some sort of how to.

If you are thinking about swatch as a solution and it's not the only one,
check-out...

http://www.oit.ucsb.edu/~eta/swatch/

http://rr.sans.org/sysadmin/swatch.php

http://www.enteract.com/~lspitz/swatch.html

http://www.cert.org/security-improvement/implementations/i042.01.html

>  Do I need to add some parameters to
> attack-response.rules?

Nope.  Swatch will monitor your syslog entries looking for entries that you
define.  If it makes a match it will react as you instruct it to, i.e.
e-mail your pager.  Which means you need to be logging Snort to syslog..
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.1 , also check
your local man page for syslog and syslogd for additional information (you
are running *nix I hope).

Side Note:.....I've seen too many people using commercial NIDS getting
paged/e-mail on all sorts of attack stimulus (I think this is why e-mail
filters where created).  And why, does attack stimulus == compromise? not
quite.  Well then, does response == compromise?  maybe.  In short, response
to stimulus is either black or white, it's is either what you expected or it
isn't.  And it's the unexpected we need to be concerned with...

Well have to go...My pager just went off ;-)

Hope this helps,

- Jeff











More information about the Snort-users mailing list