[Snort-users] swatch alternatives - sec

raft na raft2200 at ...131...
Fri Apr 25 05:53:08 EDT 2003


I would suggest SEC too http://kodu.neti.ee/~risto/sec/. Its a single perl script and config file, so very easy to get up and running. I was able to get "real time" email alerts and end-of-day emailed reports going fairly easily, but haven't tackled the "this IP is suddenly going beserk" type of alert yet (threshold on SEC jargon). As an example, the following sends an email with IP's and alert description when it sees a snort Prioirty 1 message in the log file. It also adds it to a list of Prioroty 1 alerts that gets emailed at the end of the day. (I'm no regex guru, there may be more elegant expressions, but it works w/ latest snort 2) 
# Detect the beginning of priority 1 attack from a source IP,

# and send a warning e-mail message that a new attack has begun;

# also create a context for storing detailed information about the attack

 

type=Single

ptype=RegExp

pattern=.*] (.*)\[Classification: (.*)\] \[Priority: 1.*} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*-> (\S+)

context=!ATTACK_P1_FROM_$3

continue=TakeNext

desc=P1 ALERT - $1 - $2 - started from $3 to $4

action=create ATTACK_P1_FROM_$3; add ALERT_P1_REPORT %t: %s; pipe '%t: %s' \

  /bin/mail -s 'SNORT: priority 1 attack from $3 (alert)' person at ...1255...

 

# For every priority 1 incident, add an entry to the context by its IP;

# if the IP has been quiet for 5 minutes, report the whole attack

 

type=Single

ptype=RegExp

pattern=.*] (.*)\[Classification: (.*)\] \[Priority: 1.*} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*-> (\S+)

context=ATTACK_P1_FROM_$3

continue=TakeNext

desc=P1 ALERT - $1 - $2 - started from $3 to $4

action=add ATTACK_P1_FROM_$3 %t: %s; set ATTACK_P1_FROM_$3 300 \

  ( report ATTACK_P1_FROM_$3 \

    /bin/mail -s 'SNORT: priority 1 attack from $3 (report)' person at ...1255... )
 
# send daily report about regular P1 alerts

 

type=Calendar

time=11 * * * *

desc=Sending alert report...

action=report ALERT_P1_REPORT \

    /bin/mail -s 'SNORT: daily P1 alert report' person at ...1255...; \

  delete ALERT_P1_REPORT
 ====


---------------------------------
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030425/091ca192/attachment.html>


More information about the Snort-users mailing list