[Snort-users] Alerting in near-real-time

Bamm Visscher bamm.visscher at ...11827...
Fri May 11 09:43:46 EDT 2007


Look at the architecture documentation on the Sguil Wiki. It should help you
understand it.

http://www.vorant.com/nsmwiki/index.php?title=Sguil

Bammkkkk

On 5/11/07, David.Ryan at ...14057... <David.Ryan at ...14057...> wrote:
>
>
> Paul/Bamm,
>
> Thanks for the details.  I'm working through the documentation and
> *trying* my best to understand the model used.
>
> Right now I am trying to work out what needs to be where in my
> 'distributed' model - I have a central mysql server which can receive
> logs/alerts from a small number of snort probes.
>
> I have added the sguil database to the mysql server.
>
> I am shortly going to try getting the probes to log unified outout to the
> sguil database.  Does this mean that I no longer need to log to the snort
> database, or is this still required for other things like snortreport and
> base.  Or do I just repoint the base config at the sguil database ?
>
> Thanks,
>
> David
> =================================
> David Ryan
> IT Security Engineer, Global IT Security
> Quintiles, Global IT - Infrastructure, QDUB
>
> david.ryan at ...14057...
> v:  +353-1-819-5186, GMT+0
> m: +353-87-124-9108
> =================================
>
>
>  *"Paul Halliday" <paul.halliday at ...11827...>*
>
> 11/05/2007 12:31
>   To
> "David.Ryan at ...14057..." <David.Ryan at ...14057...>  cc
> snort-users at lists.sourceforge.net  Subject
> Re: [Snort-users] Alerting in near-real-time
>
>
>
>
>
>
> David,
>
> You can easily be up and running in under ten minutes. As Bamm said, Sguil
> will do most of the work for you on startup.
>
> All you need to do is modify the configuration scripts to suit your
> environment. See the install docs.
>
> As for p0f, thats a quick install.
>
> I wouldn't worry about SANCP for now (you will see reference to it in the
> config files) you can easily add that functionality after you have seen what
> Sguil has to offer.
>
> If you have any problems you can get free premium support from the author
> himself. Just visit #snort-gui on *irc.freenode.net*<http://irc.freenode.net/>and ask for Bamm
>
> ;)
>
> On 5/10/07, *David.Ryan at ...14057...* <David.Ryan at ...14057...> <*
> David.Ryan at ...14057...* <David.Ryan at ...14057...>> wrote:
>
> Paul,
>
> Thanks for the reply.  I have looked at sguil (following your post) and I
> think it may cover what I am looking for, but the install documentation
> indicates relations to lots of other packages such as NSM and p0f and
> includes a lot of detail on setting up the snort install, logging to what
> looks like another database (i.e. a sguil database rather than the initial
> snort one which is included in the snort documentation).
>
> I don't mind re-installing snort from scratch if necessary, but I'm trying
> towork forward from an existing snort install and add this alerting
> function.  Do you know of any documentation covering adding sguil to an
> existing install, or whether I just need the exisiting database ?
>
> Thanks,
>
> David
> =================================
> David Ryan
> IT Security Engineer, Global IT Security
> Quintiles, Global IT - Infrastructure, QDUB
> *
> **david.ryan at ...14057...* <david.ryan at ...14057...>
> v:  +353-1-819-5186, GMT+0
> m: +353-87-124-9108
> =================================
>
>   *"Paul Halliday" <**paul.halliday at ...11827...* <paul.halliday at ...11827...>*>
> *
>
> 10/05/2007 16:48
>
>   To
> "*David.Ryan at ...14057...* <David.Ryan at ...14057...>" <*
> David.Ryan at ...14057...* <David.Ryan at ...14057...>>  cc
> *snort-users at lists.sourceforge.net* <snort-users at lists.sourceforge.net>
> Subject
> Re: [Snort-users] Alerting in near-real-time
>
>
>
>
>
>
>
> *
> **http://sguil.sourceforge.net/* <http://sguil.sourceforge.net/>
>
>
> On 5/10/07, *David.Ryan at ...14057...* <David.Ryan at ...14057...> <*David.Ryan at ...14057...
> * <David.Ryan at ...14057...>> wrote:
> >
> > Thanks to all on the list for their help to date.
> >
> > I am still trying to get my head around something which I still can't
> > understand in the overall snort model and I'm hoping someone can set me
> > straight on what I'm missing (or what I'm assuming incorrectly).  I may
> have
> > asked this to the list before, but I can't find it.  Apologies if I'm
> asking
> > the same question again.
> >
> > What I have got so far . . .  snort sniffs packets, matches those
> packets
> > against rules and can log the results via a variety of output plugins to
> > various repositories.  It can log directly to a variety of databases,
> but
> > from an optimisation point of view it is better to use unified output,
> pass
> > that to something like barnyard and have *it* log to the database.  Net
> > result is that events are logged in the database.  This appears to be
> the
> > end of snorts involvement in the process from what I can see.
> >
> > With the data now in the database something else needs to process it
> further
> > if any value is to come out of the data.  There are various apps such as
> > BASE, snortnotify, snortsnarf, etc .. . . which will either summarise
> the
> > data and mail it out or else present it via a webpage for analysis.  The
> > problem I'm thinking of is that this is fine for trending or where there
> is
> > someone looking at the data to review recent traffic, but I don't see
> how
> > this can provide any sort of near-real-time alerting.
> >
> > Say for example I am happy to look through reports every morning at 0900
> to
> > see what happened yesterday, but I *really* *really* want to get an SNMP
> or
> > SMTP alert when rule # 3423 is triggered or the string "bad stuff" is
> > spotted.  What do people use for this type of scenario ?  I understand
> that
> > it would probably involve running a query against the database every X
> > minutes and acting on the results of the query, but I can't understand
> how
> > there aren't a set of apps out there (or at least ones I can find) that
> do
> > this type of thing as I would have thought it was a common requirement.
> >
> > David
> > =================================
> >  David Ryan
> >  IT Security Engineer, Global IT Security
> >  Quintiles, Global IT - Infrastructure, QDUB
> >
> >  *david.ryan at ...14057...* <david.ryan at ...14057...>
> >  v:  +353-1-819-5186, GMT+0
> >  m: +353-87-124-9108
> >  =================================**********************
> > IMPORTANT--PLEASE READ ************************
> > This electronic message, including its attachments, is COMPANY
> CONFIDENTIAL
> > and may contain PROPRIETARY or LEGALLY PRIVILEGED information. If you
> are
> > not the intended recipient, you are hereby notified that any use,
> > disclosure,
> > copying, or distribution of this message or any of the information
> included
> > in it is unauthorized and strictly prohibited. If you have received this
> > message in error, please immediately notify the sender by reply e-mail
> and
> > permanently delete this message and its attachments, along with any
> copies
> > thereof. If this electronic message contains a zipped attachment and you
> do
> > not have a decompression tool, you may download unZIP (free of cost)
> from:
> > *http://www.mk-net-work.com/us/uz/unzip.htm*<http://www.mk-net-work.com/us/uz/unzip.htm>.
> Alternatively,
> > you may request
> > that the attachment be resent in an uncompressed format. Thank you.
> > ************************************************************************
> >
> >
> >
> >
> -------------------------------------------------------------------------
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > *http://sourceforge.net/powerbar/db2/*<http://sourceforge.net/powerbar/db2/>
> > _______________________________________________
> > Snort-users mailing list
> > *Snort-users at lists.sourceforge.net* <Snort-users at lists.sourceforge.net>
> > Go to this URL to change user options or unsubscribe:
> > *https://lists.sourceforge.net/lists/listinfo/snort-users*<https://lists.sourceforge.net/lists/listinfo/snort-users>
> > Snort-users list archive:
> > *http://www.geocrawler.com/redir-sf.php3?list=snort-users*<http://www.geocrawler.com/redir-sf.php3?list=snort-users>
> >
>
> **********************  IMPORTANT--PLEASE READ  ************************
> This electronic message, including its attachments, is COMPANY
> CONFIDENTIAL
> and may contain PROPRIETARY or LEGALLY PRIVILEGED information.  If you are
>
>
> not the intended recipient, you are hereby notified that any use,
> disclosure,
> copying, or distribution of this message or any of the information
> included
> in it is unauthorized and strictly prohibited.  If you have received this
>
> message in error, please immediately notify the sender by reply e-mail and
> permanently delete this message and its attachments, along with any copies
> thereof. If this electronic message contains a zipped attachment and you
> do
>
> not have a decompression tool, you may download unZIP (free of cost) from:
> *
> **http://www.mk-net-work.com/us/uz/unzip.htm
> * <http://www.mk-net-work.com/us/uz/unzip.htm>. Alternatively, you may
> request
> that the attachment be resent in an uncompressed format.        Thank you.
>
> ************************************************************************
>
>
> **********************  IMPORTANT--PLEASE READ  ************************
> This electronic message, including its attachments, is COMPANY CONFIDENTIAL
> and may contain PROPRIETARY or LEGALLY PRIVILEGED information.  If you are
> not the intended recipient, you are hereby notified that any use, disclosure,
> copying, or distribution of this message or any of the information included
> in it is unauthorized and strictly prohibited.  If you have received this
> message in error, please immediately notify the sender by reply e-mail and
> permanently delete this message and its attachments, along with any copies
> thereof. If this electronic message contains a zipped attachment and you do
> not have a decompression tool, you may download unZIP (free of cost) from:
> http://www.mk-net-work.com/us/uz/unzip.htm. Alternatively, you may request
> that the attachment be resent in an uncompressed format.        Thank you.
> ************************************************************************
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070511/c1d0257d/attachment.html>


More information about the Snort-users mailing list