[Snort-users] Real Time Alert and Variables

Joel Esler jesler at ...1935...
Wed Feb 6 11:10:21 EST 2013


I did a quick Google:

Download Splunk Enterprise for free. You'll get a Splunk Enterprise license for 60 days and you can index up to 500 megabytes of data per day. You can convert to a perpetual Free license or purchase an Enterprise license to continue using the expanded functionality designed for multi-user deployments.

http://www.splunk.com/download?r=header

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Feb 6, 2013, at 8:50 AM, Nicholas Horton <fivetenets at ...14399...> wrote:

> Was anyone able to verify this?
> 
> Is splunk for snort free or just a 60day trial?
> 
> Nick
> 
> On Jan 31, 2013, at 10:58 AM, Michael Steele <michaels at ...9077...> wrote:
> 
>> I'm told that Splunk has a 60 day trial and e-mail will not function after
>> that day.
>> 
>> Any truth to that?
>> 
>> Best regards,
>> Michael...
>> 
>>> -----Original Message-----
>>> From: Greg Williams [mailto:gwillia5 at ...15920...]
>>> Sent: Monday, January 28, 2013 12:26 AM
>>> To: Michael Steele
>>> Cc: Snort Users
>>> Subject: Re: [Snort-users] Real Time Alert and Variables
>>> 
>>> Yes, exactly.  I added fast alerts to my barnyard config, it should be the
>> same
>>> in snort.conf.  Splunk is a log management system on steroids.  I use BASE
>>> and Snorby for full packet analysis, but Splunk for trending and alerting.
>> With
>>> Splunk I can correlate the IPs from the alerts with dhcp snooping logs to
>> and
>>> run a script on a scheduled query to shut down a port.  I also use it to
>> give me
>>> daily reports on the number of P2P client alerts seen on specific subnets.
>>> Example query is as simple as:
>>> 
>>> Sourcetype=snort P2P starthoursago=24 | stats count by Name
>>> 
>>> On Jan 27, 2013, at 10:44 PM, "Michael Steele" <michaels at ...9077...>
>>> wrote:
>>> 
>>>> I'm intrigued.
>>>> 
>>>> So I add to my snort.conf
>>> 
>>>> output alert_fast: alert.ids
>>>> 
>>>> I can use Splunk to watch the alert.ids file and trigger on patterns?
>>>> 
>>>> Best regards,
>>>> Michael...
>>>> 
>>>>> -----Original Message-----
>>>>> From: Greg Williams [mailto:gwillia5 at ...15920...]
>>>>> Sent: Sunday, January 27, 2013 4:11 PM
>>>>> To: Nicholas Horton
>>>>> Cc: Snort Users
>>>>> Subject: Re: [Snort-users] Real Time Alert and Variables
>>>>> 
>>>>> Absolutely. It's an amazing piece of software.
>>>>> 
>>>>> Nicholas Horton <fivetenets at ...14399...> wrote:
>>>>> 
>>>>> 
>>>>> Perfect. Thanks Greg. Ill take a look.
>>>>> 
>>>>> I use snorby for alert gathering but just need another piece for
>>>> performing
>>>>> automated tasks based on an alert.
>>>>> 
>>>>> Will Splunk pass variables to the script such as the source IP from
>>>>> an
>>>> alert?
>>>>> 
>>>>> Nick
>>>>> 
>>>>> On Jan 27, 2013, at 3:19 PM, Greg Williams <gwillia5 at ...15920...> wrote:
>>>>> 
>>>>>> Nick, I use Splunk to do this.  I feed Splunk the fast alerts and
>>>>>> the
>>>> either
>>>>> send emails or run scripts off specific matched criteria. Example
>>>>> shutdown
>>>> a
>>>>> port based on more than 5 outbound ZeroAccess alerts in 5 minutes.
>>>>>> 
>>>>>> Nicholas Horton <fivetenets at ...14399...> wrote:
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Is this referring to alert, drop, log, pass, etc?
>>>>>> 
>>>>>> If so are you saying its possible that I can create a type to have
>>>>>> to
>>>> execute a
>>>>> command to the shell based on a specific alert?
>>>>>> 
>>>>>> This is what I'm looking for.
>>>>>> 
>>>>>> For example if rule 1:2924 gets triggered I not only want to alert
>>>>>> me
>>>> about it
>>>>> but actually kick of a script to so something in case it's in the
>>>>> middle
>>>> of the
>>>>> night or I'm simply at lunch.  To automate certain known alerts that
>>>>> are harmful and could spread though the LAN. Maybe I would even shut
>>>>> off the switch port that the device is connected to if it has virus.
>>>>>> 
>>>>>> Does snort have this ability?  Can barnyard2?  I like using
>>>>>> abilities of
>>>> a given
>>>>> program and would prefer not adding another layer of complexity to
>>>>> the equation such as swatch but if that is what I need ill use it.
>>>>>> 
>>>>>> What is the best practice for having scripts kick off to the shell
>>>>>> based
>>>> on
>>>>> specific alerts?
>>>>>> 
>>>>>> Thanks again
>>>>>> Nick
>>>>>> 
>>>>>> On Jan 25, 2013, at 12:08 PM, Nicholas Horton
>>>>> <fivetenets at ...14399...<mailto:fivetenets at ...14399...>> wrote:
>>>>>> 
>>>>>> Perfect. Thanks. Ill take a look in the manual.
>>>>>> 
>>>>>> Nick
>>>>>> 
>>>>>> On Jan 25, 2013, at 12:00 PM, Y M
>>>>> <snort at ...15979...<mailto:snort at ...15979...>> wrote:
>>>>>> 
>>>>>> You can also use custom action types. You define them in snort.conf
>>>> file,
>>>>> and use the new custom action type with your rules. Sorry can't
>>>>> provide resources at the moment, but it should be in the manual.
>>>>>> 
>>>>>> YM
>>>>>> ________________________________
>>>>>> From: Nicholas Horton<mailto:fivetenets at ...14399...>
>>>>>> Sent: ‎1/‎25/‎2013 7:26 PM
>>>>>> To: Snort Users<mailto:snort-users at lists.sourceforge.net>
>>>>>> Subject: [Snort-users] Real Time Alert and Variables
>>>>>> 
>>>>>> Is swatch still the best, only, current solution to kick off a
>>>>>> script
>>>> with
>>>>> variables such as source ip based on a specific snort alert?
>>>>>> 
>>>>>> Nick
>>>>>> 
>>>>>> --------------------------------------------------------------------
>>>>>> --
>>>>>> -------- Master Visual Studio, SharePoint, SQL,
>>>>>> ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps,
>>>>>> JavaScript and much more. Keep your skills current with LearnDevNow
>>>>>> -
>>>>>> 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON
>>>>>> SALE this month only -- learn more at:
>>>>>> http://p.sf.net/sfu/learnnow-d2d
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3471...
>>>>>> ge .net> Go to this URL to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>>> users
>>>>>> 
>>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort
>>>>> news!
>>>>>> --------------------------------------------------------------------
>>>>>> --
>>>>>> -------- Master Visual Studio, SharePoint, SQL,
>>>>>> ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps,
>>>>>> JavaScript and much more. Keep your skills current with LearnDevNow
>>>>>> -
>>>>>> 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON
>>>>>> SALE this month only -- learn more at:
>>>>>> http://p.sf.net/sfu/learnnow-d2d
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3471...
>>>>>> ge .net> Go to this URL to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>>> users
>>>>>> 
>>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort
>>>>> news!
>>>> ----------------------------------------------------------------------
>>>> ------
>>>> --
>>>>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
>>>>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills
>>>>> current with LearnDevNow - 3,200 step-by-step video tutorials by
>>>>> Microsoft MVPs and experts. ON SALE this month only -- learn more at:
>>>>> http://p.sf.net/sfu/learnnow-d2d
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>>> users
>>>>> 
>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>> Snort
>>>> news!
>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_d2d_jan
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013 
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130206/02845d4d/attachment.html>


More information about the Snort-users mailing list