[Snort-users] Setting up notifications in Snort

Alan ids at ...8382...
Fri Apr 9 01:09:02 EDT 2004

I would recommend SEC (Simple Event Correlator)
http://kodu.neti.ee/~risto/sec/ for alerting. It is more powerful (but
harder to use) then Swatch. They way I have my Snort box set-up is to alert
me by email when certain priority alerts come up so I can respond to it
ASAP. Please be warned you will need to know PERL regular expressions to use
SEC effectively.


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Harper, Patrick
Sent: Thursday, April 08, 2004 1:37 PM
To: pmartin at ...11611...; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Setting up notifications in Snort

4 of us here in Dallas want to work on a perl script that can be run as a
cron job and mail a summery of events form a specified time period.  but
there is no time frame on that.  you can use swatch for e-mail alerts.  I
tried it some time ago but have slept since then and do not remember much
about it.

For your second question that is dependent on your environment, the location
of your sensors, and what you want to see.  do you want to see only alerts
for software that you are running (i.e. apache only because you have no iis,
then turn off all the iis rules, do that for the entire rule set).  Do you
have a sensor on the outside of your firewall and want to see all malicious
traffic, turn all of them)  I personally prefer a trim rule set that matches
what I have on my network.

Patrick S. Harper | CISSP RHCT MCSE
Information Security Engineer
patrick.harper at ...11593...


From: Paul Martin [mailto:pmartin at ...11611...]
Sent: Thursday, April 08, 2004 12:02 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Setting up notifications in Snort
I have recently implemented Snort v2.1.2 on 2 boxes, reporting to one
central MySQL database, using ACID for logfile analysis  We'd like to take a
more proactive stance towards intrusion detection and have a way to have
Snort (or a plugin) notify us via SNMP/email/SMS/etc whenever a certain
condition is met.  I've looked at SnortSNMP, but it doesn't seem to have
anything beyond 2.1.0 as far as functionality.  I'd hate to drop back
software versions for the sake of SNMP, but will if I have to.  My question
is twofold:

1)       What plugins are out there that will allow Snort to notify me when
a certain condition is met?  Don't care how (SNMP/email/whatever), just need
a method of notification.
2)       Does anyone have a recommended setup for Snort?  I know that it's
going to be unique to every situation, but there have to be some accepted
practices in terms of setup.  As it stands, everything that comes across the
wire seems to be getting logged, which is good, but I need to trim it down.
Thoughts, anyone?

Thanks for any assistance.

Paul Martin
Network Technician

This electronic message, including any attachments, is confidential and
intended solely for use of the intended recipient(s). This message may
contain information that is privileged or otherwise protected from
disclosure by applicable law. Any unauthorized disclosure, dissemination,
use or reproduction is strictly prohibited. If you have received this
message in error, please delete it and notify the sender immediately.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040409/166537b4/attachment.html>

More information about the Snort-users mailing list