FW: [Snort-users] sending alerts by email

Mark Scott mscott at ...655...
Wed Jan 29 19:37:05 EST 2003


Hi everyone,

We have been working on an app called PD Monitor Client that monitors
the Windows Event Log in real time for Snort alerts. Each alert is
displayed in the Client window so that it can be viewed live on your
desktop. The Client also can be toggled 'On' or 'Off' to allow it to
automatically forward all Snort Alerts to an email address. We have been
testing it for the last 3 weeks or so and it appears to be stable in the
W2K environment, still testing it on XP. If you would like a copy to
try, go to http://perimeterdefenses.net. The PD Monitor Client is being
released as freeware. 

This monitor works in conjunction with Snort 1.8 or above, right now
however, it is running on Windows 2000 only. It assumes you will be
running snort in a configuration that logs to the Windows Event Log.
There are at least two ways to configure snort to log alerts to the
event log:

1) Use the -E option at the command line when launching snort.
Example:c:\snort\snort.exe -c c:\snort\snort.conf -E

2) Un-comment the line in your snort.conf file that says
# output alert_syslog: LOG_AUTH LOG_ALERT
Doing so will cause Snort to log to the Event Log.

Once again, when the client is installed, you can visually monitor your
snort alerts using the console. Simply click "Start Monitoring". If you
want to send alerts to an email address, go to the "Tools/Options" menu
and fill in the information required. Then, again, click the "Start
Monitoring" button.

ISSUES
------

1. XP - PD Client will run on XP, but it currently will only let you
view the alerts via the console until the bugs are worked out of the
email client.
2. Performance - generally the client runs in real time. However, during
periods of EXTREMELY high activity, such as in a ping flood or other DOS
attacks when Snort is logging tons of alerts, the console may seem
unresponsive, since it's sending so much mail. During regular activity,
however, the client responds well. Just keep that in mind when your
alerts are spinning down the console screen.

Some people may be selective about what they get in the way of alerts
(alerts based on priority, classification, sid, etc.) If you find
yourself wishing you could have a way to filter the alerts you receive,
please let us know so we can begin adding stuff into our next release.

And of course, any bugs you find would be nice to know, too. Send any
bug report to support at ...8159...

Thanks,

Mark
Mark.Scott at ...655... 

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Romulo M.
Cholewa
Sent: Monday, January 27, 2003 10:05 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] sending alerts by email / active response Win2K
system [RMC-J7FLJI4]


Hi All,

Sorry about these bunch of newbie questions. I'm in the path of
evaluating snort, and it's being used on Windows 2000 Server. Everything
is running really smooth. I had a BSOD, but I think it's related to the
packet capture driver version.

I would like to ask experienced snort users, if there are any ways of
emailing some alerts (maybe a perl script of some sort that would parse
the alert.ids file and send emails if it finds a specific alert). Also
if there are any ways of automating the process of filtering out
dynamically some kinds of attacks. I already know that it will not be
easy with Windows 2000, but maybe snort can be used together with some
firewall / filtering product available. Currently using Zone Alarm Pro.

If these things are possible, I would like to thank in advance if
someone could point me to the right direction.

Thanks again,

Romulo M. Cholewa
Home : http://www.rmc.eti.br
Forum: http://zeus.rmc.eti.br/forum
PGP Keys Available @ website.

    "Those who make peaceful revolution impossible will make    
             violent revolution inevitable." -- JFK.             
                                                                 
                                                                 


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld =omething 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users





More information about the Snort-users mailing list