[Snort-users] Setting up notifications in Snort

Harper, Patrick patrick.harper at ...11593...
Thu Apr 8 13:38:01 EDT 2004


4 of us here in Dallas want to work on a perl script that can be run as
a cron job and mail a summery of events form a specified time period.
but there is no time frame on that.  you can use swatch for e-mail
alerts.  I tried it some time ago but have slept since then and do not
remember much about it.  
 
For your second question that is dependent on your environment, the
location of your sensors, and what you want to see.  do you want to see
only alerts for software that you are running (i.e. apache only because
you have no iis, then turn off all the iis rules, do that for the entire
rule set).  Do you have a sensor on the outside of your firewall and
want to see all malicious traffic, turn all of them)  I personally
prefer a trim rule set that matches what I have on my network.

Patrick S. Harper | CISSP RHCT MCSE
Information Security Engineer
patrick.harper at ...11593... 
 

  _____  

From: Paul Martin [mailto:pmartin at ...11611...] 
Sent: Thursday, April 08, 2004 12:02 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Setting up notifications in Snort


I have recently implemented Snort v2.1.2 on 2 boxes, reporting to one
central MySQL database, using ACID for logfile analysis  We'd like to
take a more proactive stance towards intrusion detection and have a way
to have Snort (or a plugin) notify us via SNMP/email/SMS/etc whenever a
certain condition is met.  I've looked at SnortSNMP, but it doesn't seem
to have anything beyond 2.1.0 as far as functionality.  I'd hate to drop
back software versions for the sake of SNMP, but will if I have to.  My
question is twofold:
 
1)       What plugins are out there that will allow Snort to notify me
when a certain condition is met?  Don't care how (SNMP/email/whatever),
just need a method of notification.
2)       Does anyone have a recommended setup for Snort?  I know that
it's going to be unique to every situation, but there have to be some
accepted practices in terms of setup.  As it stands, everything that
comes across the wire seems to be getting logged, which is good, but I
need to trim it down.  Thoughts, anyone?
 
Thanks for any assistance.
 
Paul Martin
Network Technician



Disclaimer:
This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately. 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040408/d68916f5/attachment.html>


More information about the Snort-users mailing list