[Snort-users] Real Time Alert and Variables

Jeremy Hoel jthoel at ...11827...
Thu Feb 7 11:50:07 EST 2013


You might want to check out ELSA and greylog.  We use greylog to get
emails from logs that go to it.  They are kind of  log viewers that
are both getting better.



On Thu, Feb 7, 2013 at 3:50 PM, Nicholas Horton <fivetenets at ...14399...> wrote:
> Thanks Joel. I see.
>
> I also saw the monitoring and alerting functionality I'm looking for is in
> their enterprise edition and not the free one.
>
> Oh well :)
>
> Looks like ill go back to your swatch solution unless there is anything else
> out there for real time specific alerting and sending variables to the shell
> to run in a script.
>
> Thanks again
> Nick
>
> On Feb 6, 2013, at 11:10 AM, Joel Esler <jesler at ...1935...> wrote:
>
> I did a quick Google:
>
> Download Splunk Enterprise for free. You'll get a Splunk Enterprise license
> for 60 days and you can index up to 500 megabytes of data per day. You can
> convert to a perpetual Free license or purchase an Enterprise license to
> continue using the expanded functionality designed for multi-user
> deployments.
>
> http://www.splunk.com/download?r=header
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Feb 6, 2013, at 8:50 AM, Nicholas Horton <fivetenets at ...14399...> wrote:
>
> Was anyone able to verify this?
>
> Is splunk for snort free or just a 60day trial?
>
> Nick
>
> On Jan 31, 2013, at 10:58 AM, Michael Steele <michaels at ...9077...> wrote:
>
> I'm told that Splunk has a 60 day trial and e-mail will not function after
> that day.
>
> Any truth to that?
>
> Best regards,
> Michael...
>
> -----Original Message-----
> From: Greg Williams [mailto:gwillia5 at ...15920...]
> Sent: Monday, January 28, 2013 12:26 AM
> To: Michael Steele
> Cc: Snort Users
> Subject: Re: [Snort-users] Real Time Alert and Variables
>
> Yes, exactly.  I added fast alerts to my barnyard config, it should be the
>
> same
>
> in snort.conf.  Splunk is a log management system on steroids.  I use BASE
> and Snorby for full packet analysis, but Splunk for trending and alerting.
>
> With
>
> Splunk I can correlate the IPs from the alerts with dhcp snooping logs to
>
> and
>
> run a script on a scheduled query to shut down a port.  I also use it to
>
> give me
>
> daily reports on the number of P2P client alerts seen on specific subnets.
> Example query is as simple as:
>
> Sourcetype=snort P2P starthoursago=24 | stats count by Name
>
> On Jan 27, 2013, at 10:44 PM, "Michael Steele" <michaels at ...9077...>
> wrote:
>
> I'm intrigued.
>
> So I add to my snort.conf
>
>
> output alert_fast: alert.ids
>
> I can use Splunk to watch the alert.ids file and trigger on patterns?
>
> Best regards,
> Michael...
>
> -----Original Message-----
> From: Greg Williams [mailto:gwillia5 at ...15920...]
> Sent: Sunday, January 27, 2013 4:11 PM
> To: Nicholas Horton
> Cc: Snort Users
> Subject: Re: [Snort-users] Real Time Alert and Variables
>
> Absolutely. It's an amazing piece of software.
>
> Nicholas Horton <fivetenets at ...14399...> wrote:
>
>
> Perfect. Thanks Greg. Ill take a look.
>
> I use snorby for alert gathering but just need another piece for
>
> performing
>
> automated tasks based on an alert.
>
> Will Splunk pass variables to the script such as the source IP from
> an
>
> alert?
>
>
> Nick
>
> On Jan 27, 2013, at 3:19 PM, Greg Williams <gwillia5 at ...15920...> wrote:
>
> Nick, I use Splunk to do this.  I feed Splunk the fast alerts and
> the
>
> either
>
> send emails or run scripts off specific matched criteria. Example
> shutdown
>
> a
>
> port based on more than 5 outbound ZeroAccess alerts in 5 minutes.
>
>
> Nicholas Horton <fivetenets at ...14399...> wrote:
>
>
>
> Is this referring to alert, drop, log, pass, etc?
>
> If so are you saying its possible that I can create a type to have
> to
>
> execute a
>
> command to the shell based on a specific alert?
>
>
> This is what I'm looking for.
>
> For example if rule 1:2924 gets triggered I not only want to alert
> me
>
> about it
>
> but actually kick of a script to so something in case it's in the
> middle
>
> of the
>
> night or I'm simply at lunch.  To automate certain known alerts that
> are harmful and could spread though the LAN. Maybe I would even shut
> off the switch port that the device is connected to if it has virus.
>
>
> Does snort have this ability?  Can barnyard2?  I like using
> abilities of
>
> a given
>
> program and would prefer not adding another layer of complexity to
> the equation such as swatch but if that is what I need ill use it.
>
>
> What is the best practice for having scripts kick off to the shell
> based
>
> on
>
> specific alerts?
>
>
> Thanks again
> Nick
>
> On Jan 25, 2013, at 12:08 PM, Nicholas Horton
>
> <fivetenets at ...14399...<mailto:fivetenets at ...14399...>> wrote:
>
>
> Perfect. Thanks. Ill take a look in the manual.
>
> Nick
>
> On Jan 25, 2013, at 12:00 PM, Y M
>
> <snort at ...15979...<mailto:snort at ...15979...>> wrote:
>
>
> You can also use custom action types. You define them in snort.conf
>
> file,
>
> and use the new custom action type with your rules. Sorry can't
> provide resources at the moment, but it should be in the manual.
>
>
> YM
> ________________________________
> From: Nicholas Horton<mailto:fivetenets at ...14399...>
> Sent: 1/25/2013 7:26 PM
> To: Snort Users<mailto:snort-users at lists.sourceforge.net>
> Subject: [Snort-users] Real Time Alert and Variables
>
> Is swatch still the best, only, current solution to kick off a
> script
>
> with
>
> variables such as source ip based on a specific snort alert?
>
>
> Nick
>
> --------------------------------------------------------------------
> --
> -------- Master Visual Studio, SharePoint, SQL,
> ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps,
> JavaScript and much more. Keep your skills current with LearnDevNow
> -
> 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON
> SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3471...
> ge .net> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>
> users
>
>
> Please visit http://blog.snort.org to stay current on all the latest
>
> Snort
>
> news!
>
> --------------------------------------------------------------------
> --
> -------- Master Visual Studio, SharePoint, SQL,
> ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps,
> JavaScript and much more. Keep your skills current with LearnDevNow
> -
> 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON
> SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3471...
> ge .net> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>
> users
>
>
> Please visit http://blog.snort.org to stay current on all the latest
>
> Snort
>
> news!
>
> ----------------------------------------------------------------------
> ------
> --
>
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills
> current with LearnDevNow - 3,200 step-by-step video tutorials by
> Microsoft MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
>
> users
>
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort
>
> news!
>
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_jan
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list