[Snort-users] Snort and real-time alerting

Jeronimo L. Cabral jelocabral at ...11827...
Mon May 28 12:14:34 EDT 2012


Coming back to real-time monitoring of Snort, my Snort generates a lot
of snort log files under /var/log/snort, they have different names.

What can I do to monitor Snort if the file name changes ???

Thanks

On Thu, May 24, 2012 at 4:40 PM, JJC <cummingsj at ...11827...> wrote:
> I understand what you are saying, and in theory it can certainly
> provide some insight into attacks against what it is that "you" are
> "trying" to "protect".. that said.. why are you even allowing mysql
> from the outside in your example, seems like a bad practice in the
> first place, this is the kind of thing that generic firewalls and
> logging thereof are for, no?  That type of thing notwithstanding, if
> you can turn on more rules and look at traffic that may be "real"
> attack traffic against things that "you" "don't" have, and still be
> able to manage your alert volume, then more power to ya, I say if it
> works for you then stick with it.. certainly not my methodology though
> and I don't see how it's scalable in an environment with significant
> traffic volume and a potentially large attack surface.
>
> JJC
>
> On Thu, May 24, 2012 at 10:09 AM, waldo kitty <wkitty42 at ...14940...> wrote:
>> On 5/23/2012 15:45, JJC wrote:
>>> Tune that system..
>>
>> agreed...
>>
>>> I can fairly safely assume that if you have 20,000
>>> rules enabled, you are looking for attacks against stuff that you
>>> don't have.
>>
>> that's a bad thing? if "you" attempt to see if "i" have mysql accessible from
>> the outside by trying to throw an attack at it, "i" want you blocked...
>> period... even if "i" never use mysql ever... the same statement applies if
>> "you" throw wordpress hacks at my network and "i'm" not running any dynamic
>> pages at all... or VOIP SIP scans... or SOLARIS telnet buffer overruns... etc...
>>
>> "you" tried something dirty... that's all the proof needed in my book...
>> watching only for traffic that might affect the stuff you do run is allowing a
>> whole mash of other unnecessary traffic into your network that is attempting to
>> attack stuff you don't run... why allow any bad traffic at all? would you like
>> someone to test your house/apartment front door all the time every day to see if
>> it is unlocked or would you do something about it? ;)
>>
>>>
>>> JJC
>>>
>>> On Wed, May 23, 2012 at 8:51 AM, Jeronimo L. Cabral
>>> <jelocabral at ...11827...>  wrote:
>>>> Something else: suppose I use logsurfer/swatch/logwatch to alert in
>>>> real time the Snorts events. Actually I have near 5 events per minute.
>>>>
>>>> What is the criteria to take just a few number of critical events of
>>>> Snort ??? Because I have 20.000 signatures...
>>>>
>>>> On Wed, May 23, 2012 at 11:40 AM, Jeronimo L. Cabral
>>>> <jelocabral at ...11827...>  wrote:
>>>>> What about Swatch ??? Is it more appropriate ???
>>>>>
>>>>> On Wed, May 23, 2012 at 11:13 AM, Lay, James<james.lay at ...15009...>  wrote:
>>>>>>> -----Original Message-----
>>>>>>> From: Jeronimo L. Cabral [mailto:jelocabral at ...11827...]
>>>>>>> Sent: Wednesday, May 23, 2012 8:10 AM
>>>>>>> To: snort-users at lists.sourceforge.net
>>>>>>> Subject: [Snort-users] Snort and real-time alerting
>>>>>>>
>>>>>>> Dear, I have a Snort 2.9 with Base running OK, but I need a real time
>>>>>>> alerting mechanism via email if possible.
>>>>>>>
>>>>>>> How can I do that ??? Any extra module to use in that way ???
>>>>>>>
>>>>>>> Special thanks
>>>>>>>
>>>>>>> JeLo
>>>>>>
>>>>>> Log to fast alert then use wots/logsurfer/logwatch to tail/watch the
>>>>>> file and email out.  Assuming linux/BSD/OSX.
>>>>>>
>>>>>> James
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list