[Snort-users] Email

Bill Mathews billford at ...3962...
Wed Aug 29 20:16:31 EDT 2012


You could always deploy OSSEC and let it alert for you. It understands
snort logs just fine.
On Aug 29, 2012 7:54 PM, "Greg Williams" <alphawebfx at ...11827...> wrote:

> If it were me, I would not do a db search, the database is already
> processing stuff.  I would have scripts on all your sensors, monitor the
> alert log, and clean the alert log every 5 minutes when the grep is
> complete. Saves processing power by only searching the last 5 minutes
> instead of the entire db.
>
>
>
> On Aug 29, 2012, at 5:35 PM, Nicholas Horton <fivetenets at ...14399...> wrote:
>
> Thanks Greg.
>
> I like that plan.
>
> I think I'm going to do the poor man's way.
>
> Now I just have to figure out if the snortbox should email or if I should
> 5 min cron job of the MySQL db and search for alerts n have that server
> email recent alerts and which sensor it came from.
>
> Nick
>
> On Aug 29, 2012, at 6:25 PM, Greg Williams <alphawebfx at ...11827...> wrote:
>
> Nick, I use the enterprise version of Splunk for alerting this stuff, plus
> a lot of other things, but the older version of free Splunk, ~3.9 I think
> allowed for alerting.  The free version of Splunk now doesn't include
> alerting unfortunately.  I have unified2 going to BASE and the alert log so
> Splunk can read the alert log and based on my searches it alerts me.  You
> could also always do a poor man's alerting system by outputting the alerts
> to your database and /var/log/snort/alert and grep'ing for your sid every 5
> minutes then spit off a sendmail command via a cron job.
>
> On Wed, Aug 29, 2012 at 2:57 PM, Horton, Nicholas A - Merrifield, VA -
> Contractor <nicholas.a.horton at ...15788...> wrote:
>
>> Makes sense and honestly now that I think about it I probably won't want
>> the remote snortbox to send an email plus the log file is in unified2
>> format.
>>
>> I have several snortboxes talking to a central location and I have Snorby
>> up and running on a central server so I probably just need Snorby to
>> somehow send me an alert based on an event into the database.
>>
>> Right now Snorby sends past reports but I'm also looking for a feature
>> where the notifications can be more immediate.
>>
>> I started to think about the snortbox doing this immediate notification
>> in email but it is already notifying by entering into the central mysql db.
>>  I just need this central db box running Snorby to kick off an email given
>> a specific gid or sid.
>>
>> If Snorby isn't it for immediate or specific gid notifications i just
>> need to find that add-on that can do it.
>>
>> Thanks again Joel,
>> Nick
>>
>> ________________________________________
>> From: Joel Esler [jesler at ...1935...]
>> Sent: Wednesday, August 29, 2012 4:06 PM
>> To: Nicholas Horton
>> Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Email
>>
>> On Aug 29, 2012, at 3:45 PM, Nicholas Horton <fivetenets at ...14399...<mailto:
>> fivetenets at ...14399...>> wrote:
>>
>> Is snort 2.9.2.3 capable of sending emails based off of alerts or is that
>> something that should be handled by an add-on like swatch?
>>
>> If snort is capable where is the config for sending emails?
>>
>> It's definitely an add-on.  Snort does not contain this native
>> capability.  Snort is an IDS, not an email generation program. :)
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120829/96f10323/attachment.html>


More information about the Snort-users mailing list