[Snort-users] Email

Nicholas Horton fivetenets at ...14399...
Thu Aug 30 13:46:05 EDT 2012


Ok. Makes sense to me. Thanks again Greg!

Nick

On Aug 29, 2012, at 7:51 PM, Greg Williams <alphawebfx at ...11827...> wrote:

> If it were me, I would not do a db search, the database is already processing stuff.  I would have scripts on all your sensors, monitor the alert log, and clean the alert log every 5 minutes when the grep is complete. Saves processing power by only searching the last 5 minutes instead of the entire db.
> 
> 
> 
> On Aug 29, 2012, at 5:35 PM, Nicholas Horton <fivetenets at ...14399...> wrote:
> 
>> Thanks Greg.
>> 
>> I like that plan. 
>> 
>> I think I'm going to do the poor man's way. 
>> 
>> Now I just have to figure out if the snortbox should email or if I should 5 min cron job of the MySQL db and search for alerts n have that server email recent alerts and which sensor it came from.
>> 
>> Nick
>> 
>> On Aug 29, 2012, at 6:25 PM, Greg Williams <alphawebfx at ...11827...> wrote:
>> 
>>> Nick, I use the enterprise version of Splunk for alerting this stuff, plus a lot of other things, but the older version of free Splunk, ~3.9 I think allowed for alerting.  The free version of Splunk now doesn't include alerting unfortunately.  I have unified2 going to BASE and the alert log so Splunk can read the alert log and based on my searches it alerts me.  You could also always do a poor man's alerting system by outputting the alerts to your database and /var/log/snort/alert and grep'ing for your sid every 5 minutes then spit off a sendmail command via a cron job.
>>> 
>>> On Wed, Aug 29, 2012 at 2:57 PM, Horton, Nicholas A - Merrifield, VA -  Contractor <nicholas.a.horton at ...15788...> wrote:
>>> Makes sense and honestly now that I think about it I probably won't want the remote snortbox to send an email plus the log file is in unified2 format.
>>> 
>>> I have several snortboxes talking to a central location and I have Snorby up and running on a central server so I probably just need Snorby to somehow send me an alert based on an event into the database.
>>> 
>>> Right now Snorby sends past reports but I'm also looking for a feature where the notifications can be more immediate.
>>> 
>>> I started to think about the snortbox doing this immediate notification in email but it is already notifying by entering into the central mysql db.  I just need this central db box running Snorby to kick off an email given a specific gid or sid.
>>> 
>>> If Snorby isn't it for immediate or specific gid notifications i just need to find that add-on that can do it.
>>> 
>>> Thanks again Joel,
>>> Nick
>>> 
>>> ________________________________________
>>> From: Joel Esler [jesler at ...1935...]
>>> Sent: Wednesday, August 29, 2012 4:06 PM
>>> To: Nicholas Horton
>>> Cc: snort-users at lists.sourceforge.net
>>> Subject: Re: [Snort-users] Email
>>> 
>>> On Aug 29, 2012, at 3:45 PM, Nicholas Horton <fivetenets at ...14399...<mailto:fivetenets at ...14399...>> wrote:
>>> 
>>> Is snort 2.9.2.3 capable of sending emails based off of alerts or is that something that should be handled by an add-on like swatch?
>>> 
>>> If snort is capable where is the config for sending emails?
>>> 
>>> It's definitely an add-on.  Snort does not contain this native capability.  Snort is an IDS, not an email generation program. :)
>>> 
>>> ------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and
>>> threat landscape has changed and how IT managers can respond. Discussions
>>> will include endpoint security, mobile security and the latest in malware
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120830/d5cc8cfb/attachment.html>


More information about the Snort-users mailing list