[Snort-users] Real Time Alert and Variables

Greg Williams gwillia5 at ...15920...
Mon Jan 28 00:25:52 EST 2013


Yes, exactly.  I added fast alerts to my barnyard config, it should be the same in snort.conf.  Splunk is a log management system on steroids.  I use BASE and Snorby for full packet analysis, but Splunk for trending and alerting.  With Splunk I can correlate the IPs from the alerts with dhcp snooping logs to and run a script on a scheduled query to shut down a port.  I also use it to give me daily reports on the number of P2P client alerts seen on specific subnets.  Example query is as simple as:

Sourcetype=snort P2P starthoursago=24 | stats count by Name

On Jan 27, 2013, at 10:44 PM, "Michael Steele" <michaels at ...9077...> wrote:

> I'm intrigued. 
> 
> So I add to my snort.conf

> output alert_fast: alert.ids
> 
> I can use Splunk to watch the alert.ids file and trigger on patterns?
> 
> Best regards,
> Michael...
> 
>> -----Original Message-----
>> From: Greg Williams [mailto:gwillia5 at ...15920...]
>> Sent: Sunday, January 27, 2013 4:11 PM
>> To: Nicholas Horton
>> Cc: Snort Users
>> Subject: Re: [Snort-users] Real Time Alert and Variables
>> 
>> Absolutely. It's an amazing piece of software.
>> 
>> Nicholas Horton <fivetenets at ...14399...> wrote:
>> 
>> 
>> Perfect. Thanks Greg. Ill take a look.
>> 
>> I use snorby for alert gathering but just need another piece for
> performing
>> automated tasks based on an alert.
>> 
>> Will Splunk pass variables to the script such as the source IP from an
> alert?
>> 
>> Nick
>> 
>> On Jan 27, 2013, at 3:19 PM, Greg Williams <gwillia5 at ...15920...> wrote:
>> 
>>> Nick, I use Splunk to do this.  I feed Splunk the fast alerts and the
> either
>> send emails or run scripts off specific matched criteria. Example shutdown
> a
>> port based on more than 5 outbound ZeroAccess alerts in 5 minutes.
>>> 
>>> Nicholas Horton <fivetenets at ...14399...> wrote:
>>> 
>>> 
>>> 
>>> Is this referring to alert, drop, log, pass, etc?
>>> 
>>> If so are you saying its possible that I can create a type to have to
> execute a
>> command to the shell based on a specific alert?
>>> 
>>> This is what I'm looking for.
>>> 
>>> For example if rule 1:2924 gets triggered I not only want to alert me
> about it
>> but actually kick of a script to so something in case it's in the middle
> of the
>> night or I'm simply at lunch.  To automate certain known alerts that are
>> harmful and could spread though the LAN. Maybe I would even shut off the
>> switch port that the device is connected to if it has virus.
>>> 
>>> Does snort have this ability?  Can barnyard2?  I like using abilities of
> a given
>> program and would prefer not adding another layer of complexity to the
>> equation such as swatch but if that is what I need ill use it.
>>> 
>>> What is the best practice for having scripts kick off to the shell based
> on
>> specific alerts?
>>> 
>>> Thanks again
>>> Nick
>>> 
>>> On Jan 25, 2013, at 12:08 PM, Nicholas Horton
>> <fivetenets at ...14399...<mailto:fivetenets at ...14399...>> wrote:
>>> 
>>> Perfect. Thanks. Ill take a look in the manual.
>>> 
>>> Nick
>>> 
>>> On Jan 25, 2013, at 12:00 PM, Y M
>> <snort at ...15979...<mailto:snort at ...15979...>> wrote:
>>> 
>>> You can also use custom action types. You define them in snort.conf
> file,
>> and use the new custom action type with your rules. Sorry can't provide
>> resources at the moment, but it should be in the manual.
>>> 
>>> YM
>>> ________________________________
>>> From: Nicholas Horton<mailto:fivetenets at ...14399...>
>>> Sent: ‎1/‎25/‎2013 7:26 PM
>>> To: Snort Users<mailto:snort-users at lists.sourceforge.net>
>>> Subject: [Snort-users] Real Time Alert and Variables
>>> 
>>> Is swatch still the best, only, current solution to kick off a script
> with
>> variables such as source ip based on a specific snort alert?
>>> 
>>> Nick
>>> 
>>> ----------------------------------------------------------------------
>>> -------- Master Visual Studio, SharePoint, SQL,
>>> ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps,
>>> JavaScript and much more. Keep your skills current with LearnDevNow -
>>> 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON
>>> SALE this month only -- learn more at:
>>> http://p.sf.net/sfu/learnnow-d2d
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...5870...
>>> .net> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest
> Snort
>> news!
>>> ----------------------------------------------------------------------
>>> -------- Master Visual Studio, SharePoint, SQL,
>>> ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps,
>>> JavaScript and much more. Keep your skills current with LearnDevNow -
>>> 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON
>>> SALE this month only -- learn more at:
>>> http://p.sf.net/sfu/learnnow-d2d
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...5870...
>>> .net> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest
> Snort
>> news!
> ----------------------------------------------------------------------------
> --
>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC,
>> Windows 8 Apps, JavaScript and much more. Keep your skills current with
>> LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and
>> experts. ON SALE this month only -- learn more at:
>> http://p.sf.net/sfu/learnnow-d2d
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
> 




More information about the Snort-users mailing list