[Snort-users] Alerting in near-real-time

David.Ryan at ...13912... David.Ryan at ...13912...
Thu May 10 10:24:13 EDT 2007


Thanks to all on the list for their help to date.

I am still trying to get my head around something which I still can't 
understand in the overall snort model and I'm hoping someone can set me 
straight on what I'm missing (or what I'm assuming incorrectly).  I may 
have asked this to the list before, but I can't find it.  Apologies if I'm 
asking the same question again.

What I have got so far . . .  snort sniffs packets, matches those packets 
against rules and can log the results via a variety of output plugins to 
various repositories.  It can log directly to a variety of databases, but 
from an optimisation point of view it is better to use unified output, 
pass that to something like barnyard and have *it* log to the database. 
Net result is that events are logged in the database.  This appears to be 
the end of snorts involvement in the process from what I can see.

With the data now in the database something else needs to process it 
further if any value is to come out of the data.  There are various apps 
such as BASE, snortnotify, snortsnarf, etc . . . which will either 
summarise the data and mail it out or else present it via a webpage for 
analysis.  The problem I'm thinking of is that this is fine for trending 
or where there is someone looking at the data to review recent traffic, 
but I don't see how this can provide any sort of near-real-time alerting.

Say for example I am happy to look through reports every morning at 0900 
to see what happened yesterday, but I *really* *really* want to get an 
SNMP or SMTP alert when rule # 3423 is triggered or the string "bad stuff" 
is spotted.  What do people use for this type of scenario ?  I understand 
that it would probably involve running a query against the database every 
X minutes and acting on the results of the query, but I can't understand 
how there aren't a set of apps out there (or at least ones I can find) 
that do this type of thing as I would have thought it was a common 
requirement.

David
=================================
David Ryan
IT Security Engineer, Global IT Security
Quintiles, Global IT - Infrastructure, QDUB

david.ryan at ...14057...
v:  +353-1-819-5186, GMT+0
m: +353-87-124-9108
=================================

**********************  IMPORTANT--PLEASE READ  ************************
This electronic message, including its attachments, is COMPANY CONFIDENTIAL
and may contain PROPRIETARY or LEGALLY PRIVILEGED information.  If you are 
not the intended recipient, you are hereby notified that any use, disclosure,
copying, or distribution of this message or any of the information included
in it is unauthorized and strictly prohibited.  If you have received this
message in error, please immediately notify the sender by reply e-mail and
permanently delete this message and its attachments, along with any copies
thereof. If this electronic message contains a zipped attachment and you do
not have a decompression tool, you may download unZIP (free of cost) from:
http://www.mk-net-work.com/us/uz/unzip.htm. Alternatively, you may request
that the attachment be resent in an uncompressed format.        Thank you. 
************************************************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070510/66d64c8d/attachment.html>


More information about the Snort-users mailing list