[Snort-users] Real Time Alert and Variables

Michael Steele michaels at ...9077...
Sun Jan 27 23:45:05 EST 2013


I'm intrigued. 

So I add to my snort.conf

output alert_fast: alert.ids

I can use Splunk to watch the alert.ids file and trigger on patterns?

Best regards,
Michael...

> -----Original Message-----
> From: Greg Williams [mailto:gwillia5 at ...15920...]
> Sent: Sunday, January 27, 2013 4:11 PM
> To: Nicholas Horton
> Cc: Snort Users
> Subject: Re: [Snort-users] Real Time Alert and Variables
> 
> Absolutely. It's an amazing piece of software.
> 
> Nicholas Horton <fivetenets at ...14399...> wrote:
> 
> 
> Perfect. Thanks Greg. Ill take a look.
> 
> I use snorby for alert gathering but just need another piece for
performing
> automated tasks based on an alert.
> 
> Will Splunk pass variables to the script such as the source IP from an
alert?
> 
> Nick
> 
> On Jan 27, 2013, at 3:19 PM, Greg Williams <gwillia5 at ...15920...> wrote:
> 
> > Nick, I use Splunk to do this.  I feed Splunk the fast alerts and the
either
> send emails or run scripts off specific matched criteria. Example shutdown
a
> port based on more than 5 outbound ZeroAccess alerts in 5 minutes.
> >
> > Nicholas Horton <fivetenets at ...14399...> wrote:
> >
> >
> >
> > Is this referring to alert, drop, log, pass, etc?
> >
> > If so are you saying its possible that I can create a type to have to
execute a
> command to the shell based on a specific alert?
> >
> > This is what I'm looking for.
> >
> > For example if rule 1:2924 gets triggered I not only want to alert me
about it
> but actually kick of a script to so something in case it's in the middle
of the
> night or I'm simply at lunch.  To automate certain known alerts that are
> harmful and could spread though the LAN. Maybe I would even shut off the
> switch port that the device is connected to if it has virus.
> >
> > Does snort have this ability?  Can barnyard2?  I like using abilities of
a given
> program and would prefer not adding another layer of complexity to the
> equation such as swatch but if that is what I need ill use it.
> >
> > What is the best practice for having scripts kick off to the shell based
on
> specific alerts?
> >
> > Thanks again
> > Nick
> >
> > On Jan 25, 2013, at 12:08 PM, Nicholas Horton
> <fivetenets at ...14399...<mailto:fivetenets at ...14399...>> wrote:
> >
> > Perfect. Thanks. Ill take a look in the manual.
> >
> > Nick
> >
> > On Jan 25, 2013, at 12:00 PM, Y M
> <snort at ...15979...<mailto:snort at ...15979...>> wrote:
> >
> > You can also use custom action types. You define them in snort.conf
file,
> and use the new custom action type with your rules. Sorry can't provide
> resources at the moment, but it should be in the manual.
> >
> > YM
> > ________________________________
> > From: Nicholas Horton<mailto:fivetenets at ...14399...>
> > Sent: ‎1/‎25/‎2013 7:26 PM
> > To: Snort Users<mailto:snort-users at lists.sourceforge.net>
> > Subject: [Snort-users] Real Time Alert and Variables
> >
> > Is swatch still the best, only, current solution to kick off a script
with
> variables such as source ip based on a specific snort alert?
> >
> > Nick
> >
> > ----------------------------------------------------------------------
> > -------- Master Visual Studio, SharePoint, SQL,
> > ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps,
> > JavaScript and much more. Keep your skills current with LearnDevNow -
> > 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON
> > SALE this month only -- learn more at:
> > http://p.sf.net/sfu/learnnow-d2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net<mailto:Snort-users at ...5870...
> > .net> Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
Snort
> news!
> > ----------------------------------------------------------------------
> > -------- Master Visual Studio, SharePoint, SQL,
> > ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps,
> > JavaScript and much more. Keep your skills current with LearnDevNow -
> > 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON
> > SALE this month only -- learn more at:
> > http://p.sf.net/sfu/learnnow-d2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net<mailto:Snort-users at ...5870...
> > .net> Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
Snort
> news!
> 
>
----------------------------------------------------------------------------
--
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC,
> Windows 8 Apps, JavaScript and much more. Keep your skills current with
> LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and
> experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort
news!





More information about the Snort-users mailing list