[Snort-users] RES: sending alerts by email / active response Win2K system [RMC-J7FLJI4]

Bradley, Kenneth TSgt - Fis 33 Kenneth.Bradley at ...8129...
Tue Jan 28 13:09:05 EST 2003

There's a tool called "swatch"
(http://www.oit.ucsb.edu/~eta/swatch/swatch.html) that I use in a Linux
environment. I'm not sure if there's a windows port available, however, this
tools watches files for specific text then forks a system process like mail,
wall, or anything you can dream of. I've seen this work really well in
hybrid (*nix/Windows) environments. If you can't find a good tools like
swatch in the winworld, consider a standalone Linux box. With tools like
Samba and mail, you should not have any problems communicating between these
two worlds.

Ken Bradley

-----Original Message-----
From: Romulo M. Cholewa [mailto:rmc at ...8111...]
Sent: Tuesday, January 28, 2003 2:22 PM
To: Michael Steele; snort-users at lists.sourceforge.net
Subject: [Snort-users] RES: sending alerts by email / active response
Win2K system [RMC-J7FLJI4]

Hi Michael,
That's good news. With Syslog Daemon, I can configure it to submit the snort
alert log to the system event log. Then, I can use an app like EventWatchNT,
to send specific alerts to an email address.
You can find EventWatchNT here:
When I get to the lab I'll test it. Thanks! 
Romulo M. Cholewa.

	-----Mensagem original----- 
	De: Michael Steele [mailto:michaels at ...155...] 
	Enviada: ter 1/28/2003 13:44 
	Para: Romulo M. Cholewa; snort-users at lists.sourceforge.net 
	Assunto: RE: sending alerts by email / active response Win2K system


	You will need something like Syslog Daemon and run the alerts
through that. 
	It has an option of emailing on certain triggers. If you find a free
	that works, please let us windows folks know. The alerts can be sent
to the 
	Event Viewer, application log in Windows and if you can find
something to 
	parse that file and alert, that would be great. 

	 Michael Steele | System Engineer / Support Technician     
	 mailto:michaels at ...155...    
	 Silicon Defense: IDS solutions - http://www.silicondefense.com 
	 Snort: Open Source Network IDS - http://www.snort.org 

	-----Original Message----- 
	From: snort-users-admin at lists.sourceforge.net 
	[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Romulo
	Sent: Monday, January 27, 2003 8:05 PM 
	To: snort-users at lists.sourceforge.net 
	Subject: [Snort-users] sending alerts by email / active response
	system [RMC-J7FLJI4] 

	Hi All, 

	Sorry about these bunch of newbie questions. I'm in the path of
	snort, and it's being used on Windows 2000 Server. Everything is
	really smooth. I had a BSOD, but I think it's related to the packet
	driver version. 

	I would like to ask experienced snort users, if there are any ways
	emailing some alerts (maybe a perl script of some sort that would
parse the 
	alert.ids file and send emails if it finds a specific alert). Also
if there 
	are any ways of automating the process of filtering out dynamically
	kinds of attacks. I already know that it will not be easy with
Windows 2000, 
	but maybe snort can be used together with some firewall / filtering
	available. Currently using Zone Alarm Pro. 

	If these things are possible, I would like to thank in advance if
	could point me to the right direction. 

	Thanks again, 

	Romulo M. Cholewa 
	Home : http://www.rmc.eti.br 
	Forum: http://zeus.rmc.eti.br/forum 
	PGP Keys Available @ website. 

	    "Those who make peaceful revolution impossible will make    
	             violent revolution inevitable." -- JFK.             

	This SF.NET email is sponsored by: 
	SourceForge Enterprise Edition + IBM + LinuxWorld
	Snort-users mailing list 
	Snort-users at lists.sourceforge.net 
	Go to this URL to change user options or unsubscribe: 
	Snort-users list archive: 

⨱ >.)谣j+�Тg)'䀆iႃ0㚸pjdn
y+�޷b踲?+-w	۬zͺX܆+ކi蛁0r

More information about the Snort-users mailing list