[Snort-users] Snort and real-time alerting
cummingsj at ...11827...
Thu May 24 15:40:17 EDT 2012
I understand what you are saying, and in theory it can certainly
provide some insight into attacks against what it is that "you" are
"trying" to "protect".. that said.. why are you even allowing mysql
from the outside in your example, seems like a bad practice in the
first place, this is the kind of thing that generic firewalls and
logging thereof are for, no? That type of thing notwithstanding, if
you can turn on more rules and look at traffic that may be "real"
attack traffic against things that "you" "don't" have, and still be
able to manage your alert volume, then more power to ya, I say if it
works for you then stick with it.. certainly not my methodology though
and I don't see how it's scalable in an environment with significant
traffic volume and a potentially large attack surface.
On Thu, May 24, 2012 at 10:09 AM, waldo kitty <wkitty42 at ...14940...> wrote:
> On 5/23/2012 15:45, JJC wrote:
>> Tune that system..
>> I can fairly safely assume that if you have 20,000
>> rules enabled, you are looking for attacks against stuff that you
>> don't have.
> that's a bad thing? if "you" attempt to see if "i" have mysql accessible from
> the outside by trying to throw an attack at it, "i" want you blocked...
> period... even if "i" never use mysql ever... the same statement applies if
> "you" throw wordpress hacks at my network and "i'm" not running any dynamic
> pages at all... or VOIP SIP scans... or SOLARIS telnet buffer overruns... etc...
> "you" tried something dirty... that's all the proof needed in my book...
> watching only for traffic that might affect the stuff you do run is allowing a
> whole mash of other unnecessary traffic into your network that is attempting to
> attack stuff you don't run... why allow any bad traffic at all? would you like
> someone to test your house/apartment front door all the time every day to see if
> it is unlocked or would you do something about it? ;)
>> On Wed, May 23, 2012 at 8:51 AM, Jeronimo L. Cabral
>> <jelocabral at ...11827...> wrote:
>>> Something else: suppose I use logsurfer/swatch/logwatch to alert in
>>> real time the Snorts events. Actually I have near 5 events per minute.
>>> What is the criteria to take just a few number of critical events of
>>> Snort ??? Because I have 20.000 signatures...
>>> On Wed, May 23, 2012 at 11:40 AM, Jeronimo L. Cabral
>>> <jelocabral at ...11827...> wrote:
>>>> What about Swatch ??? Is it more appropriate ???
>>>> On Wed, May 23, 2012 at 11:13 AM, Lay, James<james.lay at ...15009...> wrote:
>>>>>> -----Original Message-----
>>>>>> From: Jeronimo L. Cabral [mailto:jelocabral at ...11827...]
>>>>>> Sent: Wednesday, May 23, 2012 8:10 AM
>>>>>> To: snort-users at lists.sourceforge.net
>>>>>> Subject: [Snort-users] Snort and real-time alerting
>>>>>> Dear, I have a Snort 2.9 with Base running OK, but I need a real time
>>>>>> alerting mechanism via email if possible.
>>>>>> How can I do that ??? Any extra module to use in that way ???
>>>>>> Special thanks
>>>>> Log to fast alert then use wots/logsurfer/logwatch to tail/watch the
>>>>> file and email out. Assuming linux/BSD/OSX.
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
More information about the Snort-users