[Snort-users] RES: sending alerts by email / active response Win2K system [RMC-J7FLJI4]
Bradley, Kenneth TSgt - Fis 33
Kenneth.Bradley at ...8129...
Tue Jan 28 13:09:05 EST 2003
There's a tool called "swatch"
(http://www.oit.ucsb.edu/~eta/swatch/swatch.html) that I use in a Linux
environment. I'm not sure if there's a windows port available, however, this
tools watches files for specific text then forks a system process like mail,
wall, or anything you can dream of. I've seen this work really well in
hybrid (*nix/Windows) environments. If you can't find a good tools like
swatch in the winworld, consider a standalone Linux box. With tools like
Samba and mail, you should not have any problems communicating between these
From: Romulo M. Cholewa [mailto:rmc at ...8111...]
Sent: Tuesday, January 28, 2003 2:22 PM
To: Michael Steele; snort-users at lists.sourceforge.net
Subject: [Snort-users] RES: sending alerts by email / active response
Win2K system [RMC-J7FLJI4]
That's good news. With Syslog Daemon, I can configure it to submit the snort
alert log to the system event log. Then, I can use an app like EventWatchNT,
to send specific alerts to an email address.
You can find EventWatchNT here:
When I get to the lab I'll test it. Thanks!
Romulo M. Cholewa.
De: Michael Steele [mailto:michaels at ...155...]
Enviada: ter 1/28/2003 13:44
Para: Romulo M. Cholewa; snort-users at lists.sourceforge.net
Assunto: RE: sending alerts by email / active response Win2K system
You will need something like Syslog Daemon and run the alerts
It has an option of emailing on certain triggers. If you find a free
that works, please let us windows folks know. The alerts can be sent
Event Viewer, application log in Windows and if you can find
parse that file and alert, that would be great.
Michael Steele | System Engineer / Support Technician
mailto:michaels at ...155...
Silicon Defense: IDS solutions - http://www.silicondefense.com
Snort: Open Source Network IDS - http://www.snort.org
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Romulo
Sent: Monday, January 27, 2003 8:05 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] sending alerts by email / active response
Sorry about these bunch of newbie questions. I'm in the path of
snort, and it's being used on Windows 2000 Server. Everything is
really smooth. I had a BSOD, but I think it's related to the packet
I would like to ask experienced snort users, if there are any ways
emailing some alerts (maybe a perl script of some sort that would
alert.ids file and send emails if it finds a specific alert). Also
are any ways of automating the process of filtering out dynamically
kinds of attacks. I already know that it will not be easy with
but maybe snort can be used together with some firewall / filtering
available. Currently using Zone Alarm Pro.
If these things are possible, I would like to thank in advance if
could point me to the right direction.
Romulo M. Cholewa
Home : http://www.rmc.eti.br
PGP Keys Available @ website.
"Those who make peaceful revolution impossible will make
violent revolution inevitable." -- JFK.
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users