[Snort-users] Real Time Alert and Variables

Nicholas Horton fivetenets at ...14399...
Thu Feb 7 10:50:43 EST 2013


Thanks Joel. I see.

I also saw the monitoring and alerting functionality I'm looking for is in their enterprise edition and not the free one. 

Oh well :)

Looks like ill go back to your swatch solution unless there is anything else out there for real time specific alerting and sending variables to the shell to run in a script.

Thanks again
Nick

On Feb 6, 2013, at 11:10 AM, Joel Esler <jesler at ...1935...> wrote:

> I did a quick Google:
> 
> Download Splunk Enterprise for free. You'll get a Splunk Enterprise license for 60 days and you can index up to 500 megabytes of data per day. You can convert to a perpetual Free license or purchase an Enterprise license to continue using the expanded functionality designed for multi-user deployments.
> 
> http://www.splunk.com/download?r=header
> 
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
> 
> On Feb 6, 2013, at 8:50 AM, Nicholas Horton <fivetenets at ...14399...> wrote:
> 
>> Was anyone able to verify this?
>> 
>> Is splunk for snort free or just a 60day trial?
>> 
>> Nick
>> 
>> On Jan 31, 2013, at 10:58 AM, Michael Steele <michaels at ...9077...> wrote:
>> 
>>> I'm told that Splunk has a 60 day trial and e-mail will not function after
>>> that day.
>>> 
>>> Any truth to that?
>>> 
>>> Best regards,
>>> Michael...
>>> 
>>>> -----Original Message-----
>>>> From: Greg Williams [mailto:gwillia5 at ...15920...]
>>>> Sent: Monday, January 28, 2013 12:26 AM
>>>> To: Michael Steele
>>>> Cc: Snort Users
>>>> Subject: Re: [Snort-users] Real Time Alert and Variables
>>>> 
>>>> Yes, exactly.  I added fast alerts to my barnyard config, it should be the
>>> same
>>>> in snort.conf.  Splunk is a log management system on steroids.  I use BASE
>>>> and Snorby for full packet analysis, but Splunk for trending and alerting.
>>> With
>>>> Splunk I can correlate the IPs from the alerts with dhcp snooping logs to
>>> and
>>>> run a script on a scheduled query to shut down a port.  I also use it to
>>> give me
>>>> daily reports on the number of P2P client alerts seen on specific subnets.
>>>> Example query is as simple as:
>>>> 
>>>> Sourcetype=snort P2P starthoursago=24 | stats count by Name
>>>> 
>>>> On Jan 27, 2013, at 10:44 PM, "Michael Steele" <michaels at ...9077...>
>>>> wrote:
>>>> 
>>>>> I'm intrigued.
>>>>> 
>>>>> So I add to my snort.conf
>>>> 
>>>>> output alert_fast: alert.ids
>>>>> 
>>>>> I can use Splunk to watch the alert.ids file and trigger on patterns?
>>>>> 
>>>>> Best regards,
>>>>> Michael...
>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: Greg Williams [mailto:gwillia5 at ...15920...]
>>>>>> Sent: Sunday, January 27, 2013 4:11 PM
>>>>>> To: Nicholas Horton
>>>>>> Cc: Snort Users
>>>>>> Subject: Re: [Snort-users] Real Time Alert and Variables
>>>>>> 
>>>>>> Absolutely. It's an amazing piece of software.
>>>>>> 
>>>>>> Nicholas Horton <fivetenets at ...14399...> wrote:
>>>>>> 
>>>>>> 
>>>>>> Perfect. Thanks Greg. Ill take a look.
>>>>>> 
>>>>>> I use snorby for alert gathering but just need another piece for
>>>>> performing
>>>>>> automated tasks based on an alert.
>>>>>> 
>>>>>> Will Splunk pass variables to the script such as the source IP from
>>>>>> an
>>>>> alert?
>>>>>> 
>>>>>> Nick
>>>>>> 
>>>>>> On Jan 27, 2013, at 3:19 PM, Greg Williams <gwillia5 at ...15920...> wrote:
>>>>>> 
>>>>>>> Nick, I use Splunk to do this.  I feed Splunk the fast alerts and
>>>>>>> the
>>>>> either
>>>>>> send emails or run scripts off specific matched criteria. Example
>>>>>> shutdown
>>>>> a
>>>>>> port based on more than 5 outbound ZeroAccess alerts in 5 minutes.
>>>>>>> 
>>>>>>> Nicholas Horton <fivetenets at ...14399...> wrote:
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> Is this referring to alert, drop, log, pass, etc?
>>>>>>> 
>>>>>>> If so are you saying its possible that I can create a type to have
>>>>>>> to
>>>>> execute a
>>>>>> command to the shell based on a specific alert?
>>>>>>> 
>>>>>>> This is what I'm looking for.
>>>>>>> 
>>>>>>> For example if rule 1:2924 gets triggered I not only want to alert
>>>>>>> me
>>>>> about it
>>>>>> but actually kick of a script to so something in case it's in the
>>>>>> middle
>>>>> of the
>>>>>> night or I'm simply at lunch.  To automate certain known alerts that
>>>>>> are harmful and could spread though the LAN. Maybe I would even shut
>>>>>> off the switch port that the device is connected to if it has virus.
>>>>>>> 
>>>>>>> Does snort have this ability?  Can barnyard2?  I like using
>>>>>>> abilities of
>>>>> a given
>>>>>> program and would prefer not adding another layer of complexity to
>>>>>> the equation such as swatch but if that is what I need ill use it.
>>>>>>> 
>>>>>>> What is the best practice for having scripts kick off to the shell
>>>>>>> based
>>>>> on
>>>>>> specific alerts?
>>>>>>> 
>>>>>>> Thanks again
>>>>>>> Nick
>>>>>>> 
>>>>>>> On Jan 25, 2013, at 12:08 PM, Nicholas Horton
>>>>>> <fivetenets at ...14399...<mailto:fivetenets at ...14399...>> wrote:
>>>>>>> 
>>>>>>> Perfect. Thanks. Ill take a look in the manual.
>>>>>>> 
>>>>>>> Nick
>>>>>>> 
>>>>>>> On Jan 25, 2013, at 12:00 PM, Y M
>>>>>> <snort at ...15979...<mailto:snort at ...15979...>> wrote:
>>>>>>> 
>>>>>>> You can also use custom action types. You define them in snort.conf
>>>>> file,
>>>>>> and use the new custom action type with your rules. Sorry can't
>>>>>> provide resources at the moment, but it should be in the manual.
>>>>>>> 
>>>>>>> YM
>>>>>>> ________________________________
>>>>>>> From: Nicholas Horton<mailto:fivetenets at ...14399...>
>>>>>>> Sent: ‎1/‎25/‎2013 7:26 PM
>>>>>>> To: Snort Users<mailto:snort-users at lists.sourceforge.net>
>>>>>>> Subject: [Snort-users] Real Time Alert and Variables
>>>>>>> 
>>>>>>> Is swatch still the best, only, current solution to kick off a
>>>>>>> script
>>>>> with
>>>>>> variables such as source ip based on a specific snort alert?
>>>>>>> 
>>>>>>> Nick
>>>>>>> 
>>>>>>> --------------------------------------------------------------------
>>>>>>> --
>>>>>>> -------- Master Visual Studio, SharePoint, SQL,
>>>>>>> ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps,
>>>>>>> JavaScript and much more. Keep your skills current with LearnDevNow
>>>>>>> -
>>>>>>> 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON
>>>>>>> SALE this month only -- learn more at:
>>>>>>> http://p.sf.net/sfu/learnnow-d2d
>>>>>>> _______________________________________________
>>>>>>> Snort-users mailing list
>>>>>>> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3471...
>>>>>>> ge .net> Go to this URL to change user options or unsubscribe:
>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>> Snort-users list archive:
>>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>>>> users
>>>>>>> 
>>>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>> Snort
>>>>>> news!
>>>>>>> --------------------------------------------------------------------
>>>>>>> --
>>>>>>> -------- Master Visual Studio, SharePoint, SQL,
>>>>>>> ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps,
>>>>>>> JavaScript and much more. Keep your skills current with LearnDevNow
>>>>>>> -
>>>>>>> 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON
>>>>>>> SALE this month only -- learn more at:
>>>>>>> http://p.sf.net/sfu/learnnow-d2d
>>>>>>> _______________________________________________
>>>>>>> Snort-users mailing list
>>>>>>> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3471...
>>>>>>> ge .net> Go to this URL to change user options or unsubscribe:
>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>> Snort-users list archive:
>>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>>>> users
>>>>>>> 
>>>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>> Snort
>>>>>> news!
>>>>> ----------------------------------------------------------------------
>>>>> ------
>>>>> --
>>>>>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
>>>>>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills
>>>>>> current with LearnDevNow - 3,200 step-by-step video tutorials by
>>>>>> Microsoft MVPs and experts. ON SALE this month only -- learn more at:
>>>>>> http://p.sf.net/sfu/learnnow-d2d
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net
>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>>>> users
>>>>>> 
>>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>>> Snort
>>>>> news!
>>> 
>>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> Everyone hates slow websites. So do we.
>>> Make your web apps faster with AppDynamics
>>> Download AppDynamics Lite for free today:
>>> http://p.sf.net/sfu/appdyn_d2d_jan
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> 
>> ------------------------------------------------------------------------------
>> Free Next-Gen Firewall Hardware Offer
>> Buy your Sophos next-gen firewall before the end March 2013 
>> and get the hardware for free! Learn more.
>> http://p.sf.net/sfu/sophos-d2d-feb
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130207/fb913fa3/attachment.html>


More information about the Snort-users mailing list