[Snort-users] Real Time Alert and Variables

Michael Steele michaels at ...9077...
Thu Jan 31 13:35:17 EST 2013


Is there anything out there that will monitor log files and email, that is
free?

 

Sometimes UNIX programs has a Windows counterpart.

 

Best regards,

Michael...

 

From: Jeremy Hoel [mailto:jthoel at ...11827...] 
Sent: Thursday, January 31, 2013 11:09 AM
To: Michael Steele
Subject: Re: [Snort-users] Real Time Alert and Variables

 

Yes.. if you are on the free version, once your enterprise trial is over
there's no more email.  

On Jan 31, 2013 9:01 AM, "Michael Steele" <michaels at ...9077...
<mailto:michaels at ...9077...> > wrote:

I'm told that Splunk has a 60 day trial and e-mail will not function after
that day.

Any truth to that?

Best regards,
Michael...

> -----Original Message-----
> From: Greg Williams [mailto:gwillia5 at ...15920... <mailto:gwillia5 at ...15920...> ]
> Sent: Monday, January 28, 2013 12:26 AM
> To: Michael Steele
> Cc: Snort Users
> Subject: Re: [Snort-users] Real Time Alert and Variables
>
> Yes, exactly.  I added fast alerts to my barnyard config, it should be the
same
> in snort.conf.  Splunk is a log management system on steroids.  I use BASE
> and Snorby for full packet analysis, but Splunk for trending and alerting.
With
> Splunk I can correlate the IPs from the alerts with dhcp snooping logs to
and
> run a script on a scheduled query to shut down a port.  I also use it to
give me
> daily reports on the number of P2P client alerts seen on specific subnets.
> Example query is as simple as:
>
> Sourcetype=snort P2P starthoursago=24 | stats count by Name
>
> On Jan 27, 2013, at 10:44 PM, "Michael Steele" <michaels at ...9077...
<mailto:michaels at ...9077...> >
> wrote:
>
> > I'm intrigued.
> >
> > So I add to my snort.conf
>
> > output alert_fast: alert.ids
> >
> > I can use Splunk to watch the alert.ids file and trigger on patterns?
> >
> > Best regards,
> > Michael...
> >
> >> -----Original Message-----
> >> From: Greg Williams [mailto:gwillia5 at ...15920...
<mailto:gwillia5 at ...15920...> ]
> >> Sent: Sunday, January 27, 2013 4:11 PM
> >> To: Nicholas Horton
> >> Cc: Snort Users
> >> Subject: Re: [Snort-users] Real Time Alert and Variables
> >>
> >> Absolutely. It's an amazing piece of software.
> >>
> >> Nicholas Horton <fivetenets at ...14399... <mailto:fivetenets at ...14399...> > wrote:
> >>
> >>
> >> Perfect. Thanks Greg. Ill take a look.
> >>
> >> I use snorby for alert gathering but just need another piece for
> > performing
> >> automated tasks based on an alert.
> >>
> >> Will Splunk pass variables to the script such as the source IP from
> >> an
> > alert?
> >>
> >> Nick
> >>
> >> On Jan 27, 2013, at 3:19 PM, Greg Williams <gwillia5 at ...15920...
<mailto:gwillia5 at ...15920...> > wrote:
> >>
> >>> Nick, I use Splunk to do this.  I feed Splunk the fast alerts and
> >>> the
> > either
> >> send emails or run scripts off specific matched criteria. Example
> >> shutdown
> > a
> >> port based on more than 5 outbound ZeroAccess alerts in 5 minutes.
> >>>
> >>> Nicholas Horton <fivetenets at ...14399... <mailto:fivetenets at ...14399...> > wrote:
> >>>
> >>>
> >>>
> >>> Is this referring to alert, drop, log, pass, etc?
> >>>
> >>> If so are you saying its possible that I can create a type to have
> >>> to
> > execute a
> >> command to the shell based on a specific alert?
> >>>
> >>> This is what I'm looking for.
> >>>
> >>> For example if rule 1:2924 gets triggered I not only want to alert
> >>> me
> > about it
> >> but actually kick of a script to so something in case it's in the
> >> middle
> > of the
> >> night or I'm simply at lunch.  To automate certain known alerts that
> >> are harmful and could spread though the LAN. Maybe I would even shut
> >> off the switch port that the device is connected to if it has virus.
> >>>
> >>> Does snort have this ability?  Can barnyard2?  I like using
> >>> abilities of
> > a given
> >> program and would prefer not adding another layer of complexity to
> >> the equation such as swatch but if that is what I need ill use it.
> >>>
> >>> What is the best practice for having scripts kick off to the shell
> >>> based
> > on
> >> specific alerts?
> >>>
> >>> Thanks again
> >>> Nick
> >>>
> >>> On Jan 25, 2013, at 12:08 PM, Nicholas Horton
> >> <fivetenets at ...14399... <mailto:fivetenets at ...14399...> <mailto:fivetenets at ...14399...
<mailto:fivetenets at ...14399...> >> wrote:
> >>>
> >>> Perfect. Thanks. Ill take a look in the manual.
> >>>
> >>> Nick
> >>>
> >>> On Jan 25, 2013, at 12:00 PM, Y M
> >> <snort at ...15979... <mailto:snort at ...15979...> <mailto:snort at ...15979...
<mailto:snort at ...15979...> >> wrote:
> >>>
> >>> You can also use custom action types. You define them in snort.conf
> > file,
> >> and use the new custom action type with your rules. Sorry can't
> >> provide resources at the moment, but it should be in the manual.
> >>>
> >>> YM
> >>> ________________________________
> >>> From: Nicholas Horton<mailto:fivetenets at ...14399...
<mailto:fivetenets at ...14399...> >
> >>> Sent: 1/25/2013 7:26 PM
> >>> To: Snort Users<mailto:snort-users at lists.sourceforge.net
<mailto:snort-users at lists.sourceforge.net> >
> >>> Subject: [Snort-users] Real Time Alert and Variables
> >>>
> >>> Is swatch still the best, only, current solution to kick off a
> >>> script
> > with
> >> variables such as source ip based on a specific snort alert?
> >>>
> >>> Nick
> >>>
> >>> --------------------------------------------------------------------
> >>> --
> >>> -------- Master Visual Studio, SharePoint, SQL,
> >>> ASP.NET <http://ASP.NET> <http://ASP.NET>, C# 2012, HTML5, CSS, MVC,
Windows 8 Apps,
> >>> JavaScript and much more. Keep your skills current with LearnDevNow
> >>> -
> >>> 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON
> >>> SALE this month only -- learn more at:
> >>> http://p.sf.net/sfu/learnnow-d2d
> >>> _______________________________________________
> >>> Snort-users mailing list
> >>> Snort-users at lists.sourceforge.net
<mailto:Snort-users at lists.sourceforge.net>
<mailto:Snort-users at ...3471... <mailto:Snort-users at ...3471...> 
> >>> ge .net> Go to this URL to change user options or unsubscribe:
> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>> Snort-users list archive:
> >>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> users
> >>>
> >>> Please visit http://blog.snort.org to stay current on all the latest
> > Snort
> >> news!
> >>> --------------------------------------------------------------------
> >>> --
> >>> -------- Master Visual Studio, SharePoint, SQL,
> >>> ASP.NET <http://ASP.NET> <http://ASP.NET>, C# 2012, HTML5, CSS, MVC,
Windows 8 Apps,
> >>> JavaScript and much more. Keep your skills current with LearnDevNow
> >>> -
> >>> 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON
> >>> SALE this month only -- learn more at:
> >>> http://p.sf.net/sfu/learnnow-d2d
> >>> _______________________________________________
> >>> Snort-users mailing list
> >>> Snort-users at lists.sourceforge.net
<mailto:Snort-users at lists.sourceforge.net>
<mailto:Snort-users at ...3471... <mailto:Snort-users at ...3471...> 
> >>> ge .net> Go to this URL to change user options or unsubscribe:
> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>> Snort-users list archive:
> >>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> users
> >>>
> >>> Please visit http://blog.snort.org to stay current on all the latest
> > Snort
> >> news!
> > ----------------------------------------------------------------------
> > ------
> > --
> >> Master Visual Studio, SharePoint, SQL, ASP.NET <http://ASP.NET> , C#
2012, HTML5, CSS,
> >> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills
> >> current with LearnDevNow - 3,200 step-by-step video tutorials by
> >> Microsoft MVPs and experts. ON SALE this month only -- learn more at:
> >> http://p.sf.net/sfu/learnnow-d2d
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
<mailto:Snort-users at lists.sourceforge.net> 
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> >> Snort
> > news!
> >



----------------------------------------------------------------------------
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net <mailto:Snort-users at lists.sourceforge.net>

Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130131/8530d2e1/attachment.html>


More information about the Snort-users mailing list