[Snort-users] sending alerts by email / active response Win2K system [RMC-J7FLJI4]

L. Christopher Luther CLuther at ...6333...
Tue Jan 28 15:28:03 EST 2003


(FYI: I'm now using EventSentry Light).  I've include below the text of an
e-mail I received from a Snort Alert, which EventSentry sent to me via
e-mail: 

EVENT #       136437
EVENTLOG      Application
EVENT TYPE    INFORMATION
SOURCE        snort
EVENT ID      1
COMPUTERNAME  SNORT-NT4
TIME          01/28/2003 5:58:59 PM
MESSAGE       [1:1002:5] WEB-IIS cmd.exe access [Classification: Web
Application Attack] [Priority: 1]: {TCP} 63.117.225.193:1056 ->
10.0.1.214:80

EVENT #       136438
EVENTLOG      Application
EVENT TYPE    INFORMATION
SOURCE        snort
EVENT ID      1 
COMPUTERNAME  SNORT-NT4
TIME          01/28/2003 5:58:59 PM
MESSAGE       [1:1201:6] ATTACK RESPONSES 403 Forbidden [Classification:
Attempted Information Leak] [Priority: 2]: {TCP} 10.0.1.214:80 ->
63.117.225.193:1056

I basically filter on Application Log, Information events, 'snort' as the
source, and '[Priority: 1]' as the message text.  


Cheers!
  Christopher

-----Original Message-----
From: Michael Steele [mailto:michaels at ...155...]
Sent: Tuesday, January 28, 2003 4:52 PM
To: 'L. Christopher Luther'; 'Romulo M. Cholewa'
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] sending alerts by email / active response Win2K
system [RMC-J7FLJI4]


Christopher, Anyone, etc.

I'm trying the program now, but I still unable to get it to alert on
anything. What I am trying to do is alert on "Priority: 1" alerts only.
Maybe it's not possible to parse the actual alert and grab content and alert
on that content? Any hints as to how to accomplish this?

   -Michael

--
 Michael Steele | System Engineer / Support Technician
mailto:michaels at ...155...
 Silicon Defense: IDS solutions - http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of L. Christopher
Luther
Sent: Tuesday, January 28, 2003 11:16 AM
To: 'Michael Steele'; 'Romulo M. Cholewa'
Cc: 'snort-users at lists.sourceforge.net'
Subject: RE: [Snort-users] sending alerts by email / active response Win2K
system [RMC-J7FLJI4]

Ask and ye shall receive: 

    EventSentry Light - http://www.netikus.net/products_downloads.html

I've not compared the functionality of EventSentry Light to the original
EventWatchNT, but I really liked EventWatchNT.  For a freeware Event Log
monitor, it just could not be beat (IMHO). 

I personally like the freeware version Kiwi Syslog Daemon, but
unfortunately, the filter/trigger e-mail functionality is only available in
the registered product.  (sigh...)

Cheers!

  Christopher


-----Original Message-----
From: "Michael Steele" <michaels at ...155...>
To: "'Romulo M. Cholewa'" <rmc at ...8111...>,
        <snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] sending alerts by email / active response Win2K
system [RMC-J7FLJI4]
Date: Tue, 28 Jan 2003 07:44:52 -0800

Romulo,

You will need something like Syslog Daemon and run the alerts through that.
It has an option of emailing on certain triggers. If you find a free tool
that works, please let us windows folks know. The alerts can be sent to the
Event Viewer, application log in Windows and if you can find something to
parse that file and alert, that would be great.

-Michael
 Michael Steele | System Engineer / Support Technician    =20
 mailto:michaels at ...155...   =20
 Silicon Defense: IDS solutions - http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030128/44465e02/attachment.html>


More information about the Snort-users mailing list