[Snort-users] Real Time Alert and Variables

Nicholas Horton fivetenets at ...14399...
Wed Feb 6 08:50:06 EST 2013


Was anyone able to verify this?

Is splunk for snort free or just a 60day trial?

Nick

On Jan 31, 2013, at 10:58 AM, Michael Steele <michaels at ...9077...> wrote:

> I'm told that Splunk has a 60 day trial and e-mail will not function after
> that day.
> 
> Any truth to that?
> 
> Best regards,
> Michael...
> 
>> -----Original Message-----
>> From: Greg Williams [mailto:gwillia5 at ...15920...]
>> Sent: Monday, January 28, 2013 12:26 AM
>> To: Michael Steele
>> Cc: Snort Users
>> Subject: Re: [Snort-users] Real Time Alert and Variables
>> 
>> Yes, exactly.  I added fast alerts to my barnyard config, it should be the
> same
>> in snort.conf.  Splunk is a log management system on steroids.  I use BASE
>> and Snorby for full packet analysis, but Splunk for trending and alerting.
> With
>> Splunk I can correlate the IPs from the alerts with dhcp snooping logs to
> and
>> run a script on a scheduled query to shut down a port.  I also use it to
> give me
>> daily reports on the number of P2P client alerts seen on specific subnets.
>> Example query is as simple as:
>> 
>> Sourcetype=snort P2P starthoursago=24 | stats count by Name
>> 
>> On Jan 27, 2013, at 10:44 PM, "Michael Steele" <michaels at ...9077...>
>> wrote:
>> 
>>> I'm intrigued.
>>> 
>>> So I add to my snort.conf
>> 
>>> output alert_fast: alert.ids
>>> 
>>> I can use Splunk to watch the alert.ids file and trigger on patterns?
>>> 
>>> Best regards,
>>> Michael...
>>> 
>>>> -----Original Message-----
>>>> From: Greg Williams [mailto:gwillia5 at ...15920...]
>>>> Sent: Sunday, January 27, 2013 4:11 PM
>>>> To: Nicholas Horton
>>>> Cc: Snort Users
>>>> Subject: Re: [Snort-users] Real Time Alert and Variables
>>>> 
>>>> Absolutely. It's an amazing piece of software.
>>>> 
>>>> Nicholas Horton <fivetenets at ...14399...> wrote:
>>>> 
>>>> 
>>>> Perfect. Thanks Greg. Ill take a look.
>>>> 
>>>> I use snorby for alert gathering but just need another piece for
>>> performing
>>>> automated tasks based on an alert.
>>>> 
>>>> Will Splunk pass variables to the script such as the source IP from
>>>> an
>>> alert?
>>>> 
>>>> Nick
>>>> 
>>>> On Jan 27, 2013, at 3:19 PM, Greg Williams <gwillia5 at ...15920...> wrote:
>>>> 
>>>>> Nick, I use Splunk to do this.  I feed Splunk the fast alerts and
>>>>> the
>>> either
>>>> send emails or run scripts off specific matched criteria. Example
>>>> shutdown
>>> a
>>>> port based on more than 5 outbound ZeroAccess alerts in 5 minutes.
>>>>> 
>>>>> Nicholas Horton <fivetenets at ...14399...> wrote:
>>>>> 
>>>>> 
>>>>> 
>>>>> Is this referring to alert, drop, log, pass, etc?
>>>>> 
>>>>> If so are you saying its possible that I can create a type to have
>>>>> to
>>> execute a
>>>> command to the shell based on a specific alert?
>>>>> 
>>>>> This is what I'm looking for.
>>>>> 
>>>>> For example if rule 1:2924 gets triggered I not only want to alert
>>>>> me
>>> about it
>>>> but actually kick of a script to so something in case it's in the
>>>> middle
>>> of the
>>>> night or I'm simply at lunch.  To automate certain known alerts that
>>>> are harmful and could spread though the LAN. Maybe I would even shut
>>>> off the switch port that the device is connected to if it has virus.
>>>>> 
>>>>> Does snort have this ability?  Can barnyard2?  I like using
>>>>> abilities of
>>> a given
>>>> program and would prefer not adding another layer of complexity to
>>>> the equation such as swatch but if that is what I need ill use it.
>>>>> 
>>>>> What is the best practice for having scripts kick off to the shell
>>>>> based
>>> on
>>>> specific alerts?
>>>>> 
>>>>> Thanks again
>>>>> Nick
>>>>> 
>>>>> On Jan 25, 2013, at 12:08 PM, Nicholas Horton
>>>> <fivetenets at ...14399...<mailto:fivetenets at ...14399...>> wrote:
>>>>> 
>>>>> Perfect. Thanks. Ill take a look in the manual.
>>>>> 
>>>>> Nick
>>>>> 
>>>>> On Jan 25, 2013, at 12:00 PM, Y M
>>>> <snort at ...15979...<mailto:snort at ...15979...>> wrote:
>>>>> 
>>>>> You can also use custom action types. You define them in snort.conf
>>> file,
>>>> and use the new custom action type with your rules. Sorry can't
>>>> provide resources at the moment, but it should be in the manual.
>>>>> 
>>>>> YM
>>>>> ________________________________
>>>>> From: Nicholas Horton<mailto:fivetenets at ...14399...>
>>>>> Sent: ‎1/‎25/‎2013 7:26 PM
>>>>> To: Snort Users<mailto:snort-users at lists.sourceforge.net>
>>>>> Subject: [Snort-users] Real Time Alert and Variables
>>>>> 
>>>>> Is swatch still the best, only, current solution to kick off a
>>>>> script
>>> with
>>>> variables such as source ip based on a specific snort alert?
>>>>> 
>>>>> Nick
>>>>> 
>>>>> --------------------------------------------------------------------
>>>>> --
>>>>> -------- Master Visual Studio, SharePoint, SQL,
>>>>> ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps,
>>>>> JavaScript and much more. Keep your skills current with LearnDevNow
>>>>> -
>>>>> 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON
>>>>> SALE this month only -- learn more at:
>>>>> http://p.sf.net/sfu/learnnow-d2d
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3471...
>>>>> ge .net> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>> users
>>>>> 
>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort
>>>> news!
>>>>> --------------------------------------------------------------------
>>>>> --
>>>>> -------- Master Visual Studio, SharePoint, SQL,
>>>>> ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps,
>>>>> JavaScript and much more. Keep your skills current with LearnDevNow
>>>>> -
>>>>> 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON
>>>>> SALE this month only -- learn more at:
>>>>> http://p.sf.net/sfu/learnnow-d2d
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3471...
>>>>> ge .net> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>> users
>>>>> 
>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort
>>>> news!
>>> ----------------------------------------------------------------------
>>> ------
>>> --
>>>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
>>>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills
>>>> current with LearnDevNow - 3,200 step-by-step video tutorials by
>>>> Microsoft MVPs and experts. ON SALE this month only -- learn more at:
>>>> http://p.sf.net/sfu/learnnow-d2d
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>> users
>>>> 
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort
>>> news!
> 
> 
> 
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_jan
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list