[Snort-users] RES: sending alerts by email / active response Win2K system [RMC-J7FLJI4]

Bradley, Kenneth TSgt - Fis 33 Kenneth.Bradley at ...8129...
Tue Jan 28 13:09:05 EST 2003


There's a tool called "swatch"
(http://www.oit.ucsb.edu/~eta/swatch/swatch.html) that I use in a Linux
environment. I'm not sure if there's a windows port available, however, this
tools watches files for specific text then forks a system process like mail,
wall, or anything you can dream of. I've seen this work really well in
hybrid (*nix/Windows) environments. If you can't find a good tools like
swatch in the winworld, consider a standalone Linux box. With tools like
Samba and mail, you should not have any problems communicating between these
two worlds.

Ken Bradley

-----Original Message-----
From: Romulo M. Cholewa [mailto:rmc at ...8111...]
Sent: Tuesday, January 28, 2003 2:22 PM
To: Michael Steele; snort-users at lists.sourceforge.net
Subject: [Snort-users] RES: sending alerts by email / active response
Win2K system [RMC-J7FLJI4]


Hi Michael,
 
That's good news. With Syslog Daemon, I can configure it to submit the snort
alert log to the system event log. Then, I can use an app like EventWatchNT,
to send specific alerts to an email address.
 
You can find EventWatchNT here:
 
http://www.webattack.com/get/eventwatch.shtml
 
When I get to the lab I'll test it. Thanks! 
 
Romulo M. Cholewa.
 
 

	-----Mensagem original----- 
	De: Michael Steele [mailto:michaels at ...155...] 
	Enviada: ter 1/28/2003 13:44 
	Para: Romulo M. Cholewa; snort-users at lists.sourceforge.net 
	Cc: 
	Assunto: RE: sending alerts by email / active response Win2K system
[RMC-J7FLJI4]
	
	

	Romulo, 

	You will need something like Syslog Daemon and run the alerts
through that. 
	It has an option of emailing on certain triggers. If you find a free
tool 
	that works, please let us windows folks know. The alerts can be sent
to the 
	Event Viewer, application log in Windows and if you can find
something to 
	parse that file and alert, that would be great. 

	-Michael 
	-- 
	 Michael Steele | System Engineer / Support Technician     
	 mailto:michaels at ...155...    
	 Silicon Defense: IDS solutions - http://www.silicondefense.com 
	 Snort: Open Source Network IDS - http://www.snort.org 


	-----Original Message----- 
	From: snort-users-admin at lists.sourceforge.net 
	[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Romulo
M. 
	Cholewa 
	Sent: Monday, January 27, 2003 8:05 PM 
	To: snort-users at lists.sourceforge.net 
	Subject: [Snort-users] sending alerts by email / active response
Win2K 
	system [RMC-J7FLJI4] 

	Hi All, 

	Sorry about these bunch of newbie questions. I'm in the path of
evaluating 
	snort, and it's being used on Windows 2000 Server. Everything is
running 
	really smooth. I had a BSOD, but I think it's related to the packet
capture 
	driver version. 

	I would like to ask experienced snort users, if there are any ways
of 
	emailing some alerts (maybe a perl script of some sort that would
parse the 
	alert.ids file and send emails if it finds a specific alert). Also
if there 
	are any ways of automating the process of filtering out dynamically
some 
	kinds of attacks. I already know that it will not be easy with
Windows 2000, 
	but maybe snort can be used together with some firewall / filtering
product 
	available. Currently using Zone Alarm Pro. 

	If these things are possible, I would like to thank in advance if
someone 
	could point me to the right direction. 

	Thanks again, 

	Romulo M. Cholewa 
	Home : http://www.rmc.eti.br 
	Forum: http://zeus.rmc.eti.br/forum 
	PGP Keys Available @ website. 

	    "Those who make peaceful revolution impossible will make    
	             violent revolution inevitable." -- JFK.             
	                                                                  
	                                                                  


	------------------------------------------------------- 
	This SF.NET email is sponsored by: 
	SourceForge Enterprise Edition + IBM + LinuxWorld
http://www.vasoftware.com 
	_______________________________________________ 
	Snort-users mailing list 
	Snort-users at lists.sourceforge.net 
	Go to this URL to change user options or unsubscribe: 
	https://lists.sourceforge.net/lists/listinfo/snort-users 
	Snort-users list archive: 
	http://www.geocrawler.com/redir-sf.php3?list 



NHSDM隊X'u丼
xZ+'⒵+
⨱ >.)谣j+�Тg)'䀆iႃ0㚸pjdn
x%R㆞ͺX(옺
~zwかhQ͡Z
ب+䠺{.n+䈉l༭b䠲,
y+�޷b踲?+-w	۬zͺX܆+ކi蛁0r
oy₯aybሲ




More information about the Snort-users mailing list