[Snort-users] RE: Alerting Snort (sending alert through pager)

Alwin Raymundo alrayworld at ...131...
Mon May 6 05:19:01 EDT 2002


Hi Jeff,

I'm using redhat 7.0 on my snort but the logging
facility that I setup was mysql and binary.

Logging all alerts to mysql is another linux box which
is internal (intranet).  The binary is log through
snort box /var/log/snort

It is possible that you have a third logging options
like in syslog?.

your quick response will be highly appreciated.

Thanks in advance.



--- "Wirth, Jeff" <WirthJe at ...4876...> wrote:
> From: Alwin Raymundo [mailto:alrayworld at ...131...]
> > Hi Jeff,
> 
> Hello Alwin...
> 
> > 
> > I'm reading your response regarding the "Alerting
> > snort using swatch".  Im very interested regarding
> > sending an email or page to my RIM.
> > 
> > I look at the snort FAQ but I cant find detailed
> > information regarding ATTACK RESPONSE I know this
> > alert will not create a false positive alert.
>              ^^^
> Well, I wouldn't go that far...I've had a *few*
> (luckily not at 2:00 am, yet
> ;-), but I am willing to live with this..
> 
> > 
> > Can you give me some direction or some sort of how
> to.
> 
> If you are thinking about swatch as a solution and
> it's not the only one,
> check-out...
> 
> http://www.oit.ucsb.edu/~eta/swatch/
> 
> http://rr.sans.org/sysadmin/swatch.php
> 
> http://www.enteract.com/~lspitz/swatch.html
> 
>
http://www.cert.org/security-improvement/implementations/i042.01.html
> 
> >  Do I need to add some parameters to
> > attack-response.rules?
> 
> Nope.  Swatch will monitor your syslog entries
> looking for entries that you
> define.  If it makes a match it will react as you
> instruct it to, i.e.
> e-mail your pager.  Which means you need to be
> logging Snort to syslog..
>
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.1
> , also check
> your local man page for syslog and syslogd for
> additional information (you
> are running *nix I hope).
> 
> Side Note:.....I've seen too many people using
> commercial NIDS getting
> paged/e-mail on all sorts of attack stimulus (I
> think this is why e-mail
> filters where created).  And why, does attack
> stimulus == compromise? not
> quite.  Well then, does response == compromise? 
> maybe.  In short, response
> to stimulus is either black or white, it's is either
> what you expected or it
> isn't.  And it's the unexpected we need to be
> concerned with...
> 
> Well have to go...My pager just went off ;-)
> 
> Hope this helps,
> 
> - Jeff
> 
> 
> 
> 
> 
> 
> 


=====
Alwin Raymundo

__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com




More information about the Snort-users mailing list