Snort mailing list archives
RE: Alerting from Snort -- NOT HOW-TO, but what....
From: "Wirth, Jeff" <WirthJe () DNB com>
Date: Thu, 2 May 2002 14:12:47 -0400
From: Tom Sevy [mailto:tsevy () epx com]
I am not asking how to alert from snort. But rather, if anyone has setup alerting (pager, for example) from snort, how did you go about determining what you wanted to be alerted on?
With the help of "swatch" I get paged on a few alerts, including... - ATTACK RESPONSES http dir listing - ATTACK RESPONSES command completed - ATTACK RESPONSES command error - ATTACK RESPONSES directory listing - ATTACK RESPONSES file copied ok - and a few custom ones...like HTTP_SERVER any -> any tftp.. All the alerts that generate pages are based on "response" rather then "stimulus"... I can't tell you this method is 100% fool proof (i.e. false positives, etc), but it's close. ;-)
My management has asked a couple of times, and I have (somewhat insubordinately) said absolutely not due to the sheer number of alerts that are logged by snort.
Hold your ground! Here's an idea... set something up to page you every time you see an alert for cmd.exe or root.exe (any worm related IIS attack will do). Then give your pager to your boss for about a hour or so....;-)
If there is anyone that has done this, I would be very interested in hearing from you.
Hope this helps, - Jeff _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alerting from Snort -- NOT HOW-TO, but what.... Tom Sevy (May 02)
- <Possible follow-ups>
- RE: Alerting from Snort -- NOT HOW-TO, but what.... Wirth, Jeff (May 02)