[Snort-users] Real Time Alert and Variables

Nicholas Horton fivetenets at ...14399...
Tue Feb 12 08:18:20 EST 2013


Thanks Martin. 

I will post with the ELSA mailing list my specific case.

Thanks again,
Nick

On Feb 11, 2013, at 9:54 PM, Martin Holste <mcholste at ...11827...> wrote:

> I'll speak up regarding ELSA, as the open source project owner.  You can monitor logs (like Snort alerts) very easily for generic things like "trojan" or "exploit kit" or more advanced queries which mix proxy logs with Snort alerts to find correlated alerts like: "user_agent:java groupby:srcip | subsearch(sig_msg:trojan)" and then send that to a connector, like email alerts, which is built-in.  You can also easily write your own plugin in a few lines of Perl (or whatever language you want, then invoke from Perl) to do more advanced things, like shutdown ports, login to web apps, etc.  If you want, you can post your specific use case over on the ELSA mailing list (enterprise-log-search-and-archive.googlegroups.com) and I'll write the plugin for you.
> 
> 
> On Thu, Feb 7, 2013 at 11:11 AM, Nicholas Horton <fivetenets at ...14399...> wrote:
>> Thanks Jeremy. Thanks James.
>> 
>> I take a look at them.
>> 
>> Nick
>> 
>> On Feb 7, 2013, at 12:01 PM, "Lay, James" <james.lay at ...15009...> wrote:
>> 
>> > -----Original Message-----
>> > From: Jeremy Hoel [mailto:jthoel at ...11827...]
>> > Sent: Thursday, February 07, 2013 9:50 AM
>> > To: Nicholas Horton
>> > Cc: Michael Steele; Snort Users
>> > Subject: Re: [Snort-users] Real Time Alert and Variables
>> >
>> > You might want to check out ELSA and greylog.  We use greylog to get
>> > emails from logs that go to it.  They are kind of  log viewers that
>> > are both getting better.
>> >
>> >
>> >
>> >
>> > WOTS (perl) and SEC (Simple Event Correlator) come to mind as well.
>> >
>> > James
>> >
>> > ------------------------------------------------------------------------------
>> > Free Next-Gen Firewall Hardware Offer
>> > Buy your Sophos next-gen firewall before the end March 2013
>> > and get the hardware for free! Learn more.
>> > http://p.sf.net/sfu/sophos-d2d-feb
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> 
>> ------------------------------------------------------------------------------
>> Free Next-Gen Firewall Hardware Offer
>> Buy your Sophos next-gen firewall before the end March 2013
>> and get the hardware for free! Learn more.
>> http://p.sf.net/sfu/sophos-d2d-feb
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130212/63315150/attachment.html>


More information about the Snort-users mailing list