[Snort-users] Real Time Alert and Variables

Michael Steele michaels at ...9077...
Thu Jan 31 10:58:12 EST 2013


I'm told that Splunk has a 60 day trial and e-mail will not function after
that day.

Any truth to that?

Best regards,
Michael...

> -----Original Message-----
> From: Greg Williams [mailto:gwillia5 at ...15920...]
> Sent: Monday, January 28, 2013 12:26 AM
> To: Michael Steele
> Cc: Snort Users
> Subject: Re: [Snort-users] Real Time Alert and Variables
> 
> Yes, exactly.  I added fast alerts to my barnyard config, it should be the
same
> in snort.conf.  Splunk is a log management system on steroids.  I use BASE
> and Snorby for full packet analysis, but Splunk for trending and alerting.
With
> Splunk I can correlate the IPs from the alerts with dhcp snooping logs to
and
> run a script on a scheduled query to shut down a port.  I also use it to
give me
> daily reports on the number of P2P client alerts seen on specific subnets.
> Example query is as simple as:
> 
> Sourcetype=snort P2P starthoursago=24 | stats count by Name
> 
> On Jan 27, 2013, at 10:44 PM, "Michael Steele" <michaels at ...9077...>
> wrote:
> 
> > I'm intrigued.
> >
> > So I add to my snort.conf
> 
> > output alert_fast: alert.ids
> >
> > I can use Splunk to watch the alert.ids file and trigger on patterns?
> >
> > Best regards,
> > Michael...
> >
> >> -----Original Message-----
> >> From: Greg Williams [mailto:gwillia5 at ...15920...]
> >> Sent: Sunday, January 27, 2013 4:11 PM
> >> To: Nicholas Horton
> >> Cc: Snort Users
> >> Subject: Re: [Snort-users] Real Time Alert and Variables
> >>
> >> Absolutely. It's an amazing piece of software.
> >>
> >> Nicholas Horton <fivetenets at ...14399...> wrote:
> >>
> >>
> >> Perfect. Thanks Greg. Ill take a look.
> >>
> >> I use snorby for alert gathering but just need another piece for
> > performing
> >> automated tasks based on an alert.
> >>
> >> Will Splunk pass variables to the script such as the source IP from
> >> an
> > alert?
> >>
> >> Nick
> >>
> >> On Jan 27, 2013, at 3:19 PM, Greg Williams <gwillia5 at ...15920...> wrote:
> >>
> >>> Nick, I use Splunk to do this.  I feed Splunk the fast alerts and
> >>> the
> > either
> >> send emails or run scripts off specific matched criteria. Example
> >> shutdown
> > a
> >> port based on more than 5 outbound ZeroAccess alerts in 5 minutes.
> >>>
> >>> Nicholas Horton <fivetenets at ...14399...> wrote:
> >>>
> >>>
> >>>
> >>> Is this referring to alert, drop, log, pass, etc?
> >>>
> >>> If so are you saying its possible that I can create a type to have
> >>> to
> > execute a
> >> command to the shell based on a specific alert?
> >>>
> >>> This is what I'm looking for.
> >>>
> >>> For example if rule 1:2924 gets triggered I not only want to alert
> >>> me
> > about it
> >> but actually kick of a script to so something in case it's in the
> >> middle
> > of the
> >> night or I'm simply at lunch.  To automate certain known alerts that
> >> are harmful and could spread though the LAN. Maybe I would even shut
> >> off the switch port that the device is connected to if it has virus.
> >>>
> >>> Does snort have this ability?  Can barnyard2?  I like using
> >>> abilities of
> > a given
> >> program and would prefer not adding another layer of complexity to
> >> the equation such as swatch but if that is what I need ill use it.
> >>>
> >>> What is the best practice for having scripts kick off to the shell
> >>> based
> > on
> >> specific alerts?
> >>>
> >>> Thanks again
> >>> Nick
> >>>
> >>> On Jan 25, 2013, at 12:08 PM, Nicholas Horton
> >> <fivetenets at ...14399...<mailto:fivetenets at ...14399...>> wrote:
> >>>
> >>> Perfect. Thanks. Ill take a look in the manual.
> >>>
> >>> Nick
> >>>
> >>> On Jan 25, 2013, at 12:00 PM, Y M
> >> <snort at ...15979...<mailto:snort at ...15979...>> wrote:
> >>>
> >>> You can also use custom action types. You define them in snort.conf
> > file,
> >> and use the new custom action type with your rules. Sorry can't
> >> provide resources at the moment, but it should be in the manual.
> >>>
> >>> YM
> >>> ________________________________
> >>> From: Nicholas Horton<mailto:fivetenets at ...14399...>
> >>> Sent: ‎1/‎25/‎2013 7:26 PM
> >>> To: Snort Users<mailto:snort-users at lists.sourceforge.net>
> >>> Subject: [Snort-users] Real Time Alert and Variables
> >>>
> >>> Is swatch still the best, only, current solution to kick off a
> >>> script
> > with
> >> variables such as source ip based on a specific snort alert?
> >>>
> >>> Nick
> >>>
> >>> --------------------------------------------------------------------
> >>> --
> >>> -------- Master Visual Studio, SharePoint, SQL,
> >>> ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps,
> >>> JavaScript and much more. Keep your skills current with LearnDevNow
> >>> -
> >>> 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON
> >>> SALE this month only -- learn more at:
> >>> http://p.sf.net/sfu/learnnow-d2d
> >>> _______________________________________________
> >>> Snort-users mailing list
> >>> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3471...
> >>> ge .net> Go to this URL to change user options or unsubscribe:
> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>> Snort-users list archive:
> >>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> users
> >>>
> >>> Please visit http://blog.snort.org to stay current on all the latest
> > Snort
> >> news!
> >>> --------------------------------------------------------------------
> >>> --
> >>> -------- Master Visual Studio, SharePoint, SQL,
> >>> ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps,
> >>> JavaScript and much more. Keep your skills current with LearnDevNow
> >>> -
> >>> 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON
> >>> SALE this month only -- learn more at:
> >>> http://p.sf.net/sfu/learnnow-d2d
> >>> _______________________________________________
> >>> Snort-users mailing list
> >>> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3471...
> >>> ge .net> Go to this URL to change user options or unsubscribe:
> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>> Snort-users list archive:
> >>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> users
> >>>
> >>> Please visit http://blog.snort.org to stay current on all the latest
> > Snort
> >> news!
> > ----------------------------------------------------------------------
> > ------
> > --
> >> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> >> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills
> >> current with LearnDevNow - 3,200 step-by-step video tutorials by
> >> Microsoft MVPs and experts. ON SALE this month only -- learn more at:
> >> http://p.sf.net/sfu/learnnow-d2d
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> >> Snort
> > news!
> >






More information about the Snort-users mailing list