[Snort-users] Real Time Alert and Variables

Justin tcpandip at ...11827...
Thu Jan 31 14:34:20 EST 2013


Well, it depends on how you define "free" and how much effort you're
willing to put in. In this context Bash, Cygwin, Python, Perl, Java, etc
are all free and can monitor files and send accompanying email.
On Jan 31, 2013 1:39 PM, "Michael Steele" <michaels at ...9077...> wrote:

> Is there anything out there that will monitor log files and email, that is
> free?****
>
> ** **
>
> Sometimes UNIX programs has a Windows counterpart.****
>
> ** **
>
> Best regards,****
>
> Michael...****
>
> ** **
>
> *From:* Jeremy Hoel [mailto:jthoel at ...11827...]
> *Sent:* Thursday, January 31, 2013 11:09 AM
> *To:* Michael Steele
> *Subject:* Re: [Snort-users] Real Time Alert and Variables****
>
> ** **
>
> Yes.. if you are on the free version, once your enterprise trial is over
> there's no more email.  ****
>
> On Jan 31, 2013 9:01 AM, "Michael Steele" <michaels at ...9077...> wrote:**
> **
>
> I'm told that Splunk has a 60 day trial and e-mail will not function after
> that day.
>
> Any truth to that?
>
> Best regards,
> Michael...
>
> > -----Original Message-----
> > From: Greg Williams [mailto:gwillia5 at ...15920...]
> > Sent: Monday, January 28, 2013 12:26 AM
> > To: Michael Steele
> > Cc: Snort Users
> > Subject: Re: [Snort-users] Real Time Alert and Variables
> >
> > Yes, exactly.  I added fast alerts to my barnyard config, it should be
> the
> same
> > in snort.conf.  Splunk is a log management system on steroids.  I use
> BASE
> > and Snorby for full packet analysis, but Splunk for trending and
> alerting.
> With
> > Splunk I can correlate the IPs from the alerts with dhcp snooping logs to
> and
> > run a script on a scheduled query to shut down a port.  I also use it to
> give me
> > daily reports on the number of P2P client alerts seen on specific
> subnets.
> > Example query is as simple as:
> >
> > Sourcetype=snort P2P starthoursago=24 | stats count by Name
> >
> > On Jan 27, 2013, at 10:44 PM, "Michael Steele" <michaels at ...9077...>
> > wrote:
> >
> > > I'm intrigued.
> > >
> > > So I add to my snort.conf
> >
> > > output alert_fast: alert.ids
> > >
> > > I can use Splunk to watch the alert.ids file and trigger on patterns?
> > >
> > > Best regards,
> > > Michael...
> > >
> > >> -----Original Message-----
> > >> From: Greg Williams [mailto:gwillia5 at ...15920...]
> > >> Sent: Sunday, January 27, 2013 4:11 PM
> > >> To: Nicholas Horton
> > >> Cc: Snort Users
> > >> Subject: Re: [Snort-users] Real Time Alert and Variables
> > >>
> > >> Absolutely. It's an amazing piece of software.
> > >>
> > >> Nicholas Horton <fivetenets at ...14399...> wrote:
> > >>
> > >>
> > >> Perfect. Thanks Greg. Ill take a look.
> > >>
> > >> I use snorby for alert gathering but just need another piece for
> > > performing
> > >> automated tasks based on an alert.
> > >>
> > >> Will Splunk pass variables to the script such as the source IP from
> > >> an
> > > alert?
> > >>
> > >> Nick
> > >>
> > >> On Jan 27, 2013, at 3:19 PM, Greg Williams <gwillia5 at ...15920...> wrote:
> > >>
> > >>> Nick, I use Splunk to do this.  I feed Splunk the fast alerts and
> > >>> the
> > > either
> > >> send emails or run scripts off specific matched criteria. Example
> > >> shutdown
> > > a
> > >> port based on more than 5 outbound ZeroAccess alerts in 5 minutes.
> > >>>
> > >>> Nicholas Horton <fivetenets at ...14399...> wrote:
> > >>>
> > >>>
> > >>>
> > >>> Is this referring to alert, drop, log, pass, etc?
> > >>>
> > >>> If so are you saying its possible that I can create a type to have
> > >>> to
> > > execute a
> > >> command to the shell based on a specific alert?
> > >>>
> > >>> This is what I'm looking for.
> > >>>
> > >>> For example if rule 1:2924 gets triggered I not only want to alert
> > >>> me
> > > about it
> > >> but actually kick of a script to so something in case it's in the
> > >> middle
> > > of the
> > >> night or I'm simply at lunch.  To automate certain known alerts that
> > >> are harmful and could spread though the LAN. Maybe I would even shut
> > >> off the switch port that the device is connected to if it has virus.
> > >>>
> > >>> Does snort have this ability?  Can barnyard2?  I like using
> > >>> abilities of
> > > a given
> > >> program and would prefer not adding another layer of complexity to
> > >> the equation such as swatch but if that is what I need ill use it.
> > >>>
> > >>> What is the best practice for having scripts kick off to the shell
> > >>> based
> > > on
> > >> specific alerts?
> > >>>
> > >>> Thanks again
> > >>> Nick
> > >>>
> > >>> On Jan 25, 2013, at 12:08 PM, Nicholas Horton
> > >> <fivetenets at ...14399...<mailto:fivetenets at ...14399...>> wrote:
> > >>>
> > >>> Perfect. Thanks. Ill take a look in the manual.
> > >>>
> > >>> Nick
> > >>>
> > >>> On Jan 25, 2013, at 12:00 PM, Y M
> > >> <snort at ...15979...<mailto:snort at ...15979...>> wrote:
> > >>>
> > >>> You can also use custom action types. You define them in snort.conf
> > > file,
> > >> and use the new custom action type with your rules. Sorry can't
> > >> provide resources at the moment, but it should be in the manual.
> > >>>
> > >>> YM
> > >>> ________________________________
> > >>> From: Nicholas Horton<mailto:fivetenets at ...14399...>
> > >>> Sent: 1/25/2013 7:26 PM
> > >>> To: Snort Users<mailto:snort-users at lists.sourceforge.net>
> > >>> Subject: [Snort-users] Real Time Alert and Variables
> > >>>
> > >>> Is swatch still the best, only, current solution to kick off a
> > >>> script
> > > with
> > >> variables such as source ip based on a specific snort alert?
> > >>>
> > >>> Nick
> > >>>
> > >>> --------------------------------------------------------------------
> > >>> --
> > >>> -------- Master Visual Studio, SharePoint, SQL,
> > >>> ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps,
> > >>> JavaScript and much more. Keep your skills current with LearnDevNow
> > >>> -
> > >>> 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON
> > >>> SALE this month only -- learn more at:
> > >>> http://p.sf.net/sfu/learnnow-d2d
> > >>> _______________________________________________
> > >>> Snort-users mailing list
> > >>> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3471...
> > >>> ge .net> Go to this URL to change user options or unsubscribe:
> > >>> https://lists.sourceforge.net/lists/listinfo/snort-users
> > >>> Snort-users list archive:
> > >>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> > users
> > >>>
> > >>> Please visit http://blog.snort.org to stay current on all the latest
> > > Snort
> > >> news!
> > >>> --------------------------------------------------------------------
> > >>> --
> > >>> -------- Master Visual Studio, SharePoint, SQL,
> > >>> ASP.NET<http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps,
> > >>> JavaScript and much more. Keep your skills current with LearnDevNow
> > >>> -
> > >>> 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON
> > >>> SALE this month only -- learn more at:
> > >>> http://p.sf.net/sfu/learnnow-d2d
> > >>> _______________________________________________
> > >>> Snort-users mailing list
> > >>> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3471...
> > >>> ge .net> Go to this URL to change user options or unsubscribe:
> > >>> https://lists.sourceforge.net/lists/listinfo/snort-users
> > >>> Snort-users list archive:
> > >>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> > users
> > >>>
> > >>> Please visit http://blog.snort.org to stay current on all the latest
> > > Snort
> > >> news!
> > > ----------------------------------------------------------------------
> > > ------
> > > --
> > >> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> > >> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills
> > >> current with LearnDevNow - 3,200 step-by-step video tutorials by
> > >> Microsoft MVPs and experts. ON SALE this month only -- learn more at:
> > >> http://p.sf.net/sfu/learnnow-d2d
> > >> _______________________________________________
> > >> Snort-users mailing list
> > >> Snort-users at lists.sourceforge.net
> > >> Go to this URL to change user options or unsubscribe:
> > >> https://lists.sourceforge.net/lists/listinfo/snort-users
> > >> Snort-users list archive:
> > >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-
> > users
> > >>
> > >> Please visit http://blog.snort.org to stay current on all the latest
> > >> Snort
> > > news!
> > >
>
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_jan
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!****
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_jan
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130131/83697737/attachment.html>


More information about the Snort-users mailing list