[Snort-users] Alerting in near-real-time

Bamm Visscher bamm.visscher at ...11827...
Thu May 10 18:05:53 EDT 2007


You do not need to reinstall snort. You need to enable the unified log
output plugin though. Sguild runs on it's own DB schema which will be
created the first time you run sguild. That DB can coexist with others (like
the one for BASE).

Bammkkkk


On 5/10/07, David.Ryan at ...14057... <David.Ryan at ...14057...> wrote:
>
>
> Paul,
>
> Thanks for the reply.  I have looked at sguil (following your post) and I
> think it may cover what I am looking for, but the install documentation
> indicates relations to lots of other packages such as NSM and p0f and
> includes a lot of detail on setting up the snort install, logging to what
> looks like another database (i.e. a sguil database rather than the initial
> snort one which is included in the snort documentation).
>
> I don't mind re-installing snort from scratch if necessary, but I'm trying
> towork forward from an existing snort install and add this alerting
> function.  Do you know of any documentation covering adding sguil to an
> existing install, or whether I just need the exisiting database ?
>
> Thanks,
>
> David
> =================================
> David Ryan
> IT Security Engineer, Global IT Security
> Quintiles, Global IT - Infrastructure, QDUB
>
> david.ryan at ...14057...
> v:  +353-1-819-5186, GMT+0
> m: +353-87-124-9108
> =================================
>
>
>  *"Paul Halliday" <paul.halliday at ...11827...>*
>
> 10/05/2007 16:48
>   To
> "David.Ryan at ...14057..." <David.Ryan at ...14057...>  cc
> snort-users at lists.sourceforge.net  Subject
> Re: [Snort-users] Alerting in near-real-time
>
>
>
>
>
>
> http://sguil.sourceforge.net/
>
> On 5/10/07, David.Ryan at ...14057... <David.Ryan at ...14057...> wrote:
> >
> > Thanks to all on the list for their help to date.
> >
> > I am still trying to get my head around something which I still can't
> > understand in the overall snort model and I'm hoping someone can set me
> > straight on what I'm missing (or what I'm assuming incorrectly).  I may
> have
> > asked this to the list before, but I can't find it.  Apologies if I'm
> asking
> > the same question again.
> >
> > What I have got so far . . .  snort sniffs packets, matches those
> packets
> > against rules and can log the results via a variety of output plugins to
> > various repositories.  It can log directly to a variety of databases,
> but
> > from an optimisation point of view it is better to use unified output,
> pass
> > that to something like barnyard and have *it* log to the database.  Net
> > result is that events are logged in the database.  This appears to be
> the
> > end of snorts involvement in the process from what I can see.
> >
> > With the data now in the database something else needs to process it
> further
> > if any value is to come out of the data.  There are various apps such as
> > BASE, snortnotify, snortsnarf, etc .. . . which will either summarise
> the
> > data and mail it out or else present it via a webpage for analysis.  The
> > problem I'm thinking of is that this is fine for trending or where there
> is
> > someone looking at the data to review recent traffic, but I don't see
> how
> > this can provide any sort of near-real-time alerting.
> >
> > Say for example I am happy to look through reports every morning at 0900
> to
> > see what happened yesterday, but I *really* *really* want to get an SNMP
> or
> > SMTP alert when rule # 3423 is triggered or the string "bad stuff" is
> > spotted.  What do people use for this type of scenario ?  I understand
> that
> > it would probably involve running a query against the database every X
> > minutes and acting on the results of the query, but I can't understand
> how
> > there aren't a set of apps out there (or at least ones I can find) that
> do
> > this type of thing as I would have thought it was a common requirement.
> >
> > David
> > =================================
> >  David Ryan
> >  IT Security Engineer, Global IT Security
> >  Quintiles, Global IT - Infrastructure, QDUB
> >
> >  david.ryan at ...14057...
> >  v:  +353-1-819-5186, GMT+0
> >  m: +353-87-124-9108
> >  =================================**********************
> > IMPORTANT--PLEASE READ ************************
> > This electronic message, including its attachments, is COMPANY
> CONFIDENTIAL
> > and may contain PROPRIETARY or LEGALLY PRIVILEGED information. If you
> are
> > not the intended recipient, you are hereby notified that any use,
> > disclosure,
> > copying, or distribution of this message or any of the information
> included
> > in it is unauthorized and strictly prohibited. If you have received this
> > message in error, please immediately notify the sender by reply e-mail
> and
> > permanently delete this message and its attachments, along with any
> copies
> > thereof. If this electronic message contains a zipped attachment and you
> do
> > not have a decompression tool, you may download unZIP (free of cost)
> from:
> > http://www.mk-net-work.com/us/uz/unzip.htm. Alternatively,
> > you may request
> > that the attachment be resent in an uncompressed format. Thank you.
> > ************************************************************************
> >
> >
> >
> >
> -------------------------------------------------------------------------
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
> **********************  IMPORTANT--PLEASE READ  ************************
> This electronic message, including its attachments, is COMPANY CONFIDENTIAL
> and may contain PROPRIETARY or LEGALLY PRIVILEGED information.  If you are
> not the intended recipient, you are hereby notified that any use, disclosure,
> copying, or distribution of this message or any of the information included
> in it is unauthorized and strictly prohibited.  If you have received this
> message in error, please immediately notify the sender by reply e-mail and
> permanently delete this message and its attachments, along with any copies
> thereof. If this electronic message contains a zipped attachment and you do
> not have a decompression tool, you may download unZIP (free of cost) from:
> http://www.mk-net-work.com/us/uz/unzip.htm. Alternatively, you may request
> that the attachment be resent in an uncompressed format.        Thank you.
> ************************************************************************
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070510/7d123556/attachment.html>


More information about the Snort-users mailing list