[Snort-users] Alerting in near-real-time

Paul Halliday paul.halliday at ...11827...
Thu May 10 10:48:49 EDT 2007


http://sguil.sourceforge.net/

On 5/10/07, David.Ryan at ...14057... <David.Ryan at ...14057...> wrote:
>
> Thanks to all on the list for their help to date.
>
> I am still trying to get my head around something which I still can't
> understand in the overall snort model and I'm hoping someone can set me
> straight on what I'm missing (or what I'm assuming incorrectly).  I may have
> asked this to the list before, but I can't find it.  Apologies if I'm asking
> the same question again.
>
> What I have got so far . . .  snort sniffs packets, matches those packets
> against rules and can log the results via a variety of output plugins to
> various repositories.  It can log directly to a variety of databases, but
> from an optimisation point of view it is better to use unified output, pass
> that to something like barnyard and have *it* log to the database.  Net
> result is that events are logged in the database.  This appears to be the
> end of snorts involvement in the process from what I can see.
>
> With the data now in the database something else needs to process it further
> if any value is to come out of the data.  There are various apps such as
> BASE, snortnotify, snortsnarf, etc .. . . which will either summarise the
> data and mail it out or else present it via a webpage for analysis.  The
> problem I'm thinking of is that this is fine for trending or where there is
> someone looking at the data to review recent traffic, but I don't see how
> this can provide any sort of near-real-time alerting.
>
> Say for example I am happy to look through reports every morning at 0900 to
> see what happened yesterday, but I *really* *really* want to get an SNMP or
> SMTP alert when rule # 3423 is triggered or the string "bad stuff" is
> spotted.  What do people use for this type of scenario ?  I understand that
> it would probably involve running a query against the database every X
> minutes and acting on the results of the query, but I can't understand how
> there aren't a set of apps out there (or at least ones I can find) that do
> this type of thing as I would have thought it was a common requirement.
>
> David
> =================================
>  David Ryan
>  IT Security Engineer, Global IT Security
>  Quintiles, Global IT - Infrastructure, QDUB
>
>  david.ryan at ...14057...
>  v:  +353-1-819-5186, GMT+0
>  m: +353-87-124-9108
>  =================================**********************
> IMPORTANT--PLEASE READ ************************
> This electronic message, including its attachments, is COMPANY CONFIDENTIAL
> and may contain PROPRIETARY or LEGALLY PRIVILEGED information. If you are
> not the intended recipient, you are hereby notified that any use,
> disclosure,
> copying, or distribution of this message or any of the information included
> in it is unauthorized and strictly prohibited. If you have received this
> message in error, please immediately notify the sender by reply e-mail and
> permanently delete this message and its attachments, along with any copies
> thereof. If this electronic message contains a zipped attachment and you do
> not have a decompression tool, you may download unZIP (free of cost) from:
> http://www.mk-net-work.com/us/uz/unzip.htm. Alternatively,
> you may request
> that the attachment be resent in an uncompressed format. Thank you.
> ************************************************************************
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list