Snort mailing list archives
FW: sending alerts by email
From: "Mark Scott" <mscott () mtgroup com>
Date: Wed, 29 Jan 2003 21:36:37 -0600
Hi everyone, We have been working on an app called PD Monitor Client that monitors the Windows Event Log in real time for Snort alerts. Each alert is displayed in the Client window so that it can be viewed live on your desktop. The Client also can be toggled 'On' or 'Off' to allow it to automatically forward all Snort Alerts to an email address. We have been testing it for the last 3 weeks or so and it appears to be stable in the W2K environment, still testing it on XP. If you would like a copy to try, go to http://perimeterdefenses.net. The PD Monitor Client is being released as freeware. This monitor works in conjunction with Snort 1.8 or above, right now however, it is running on Windows 2000 only. It assumes you will be running snort in a configuration that logs to the Windows Event Log. There are at least two ways to configure snort to log alerts to the event log: 1) Use the -E option at the command line when launching snort. Example:c:\snort\snort.exe -c c:\snort\snort.conf -E 2) Un-comment the line in your snort.conf file that says # output alert_syslog: LOG_AUTH LOG_ALERT Doing so will cause Snort to log to the Event Log. Once again, when the client is installed, you can visually monitor your snort alerts using the console. Simply click "Start Monitoring". If you want to send alerts to an email address, go to the "Tools/Options" menu and fill in the information required. Then, again, click the "Start Monitoring" button. ISSUES ------ 1. XP - PD Client will run on XP, but it currently will only let you view the alerts via the console until the bugs are worked out of the email client. 2. Performance - generally the client runs in real time. However, during periods of EXTREMELY high activity, such as in a ping flood or other DOS attacks when Snort is logging tons of alerts, the console may seem unresponsive, since it's sending so much mail. During regular activity, however, the client responds well. Just keep that in mind when your alerts are spinning down the console screen. Some people may be selective about what they get in the way of alerts (alerts based on priority, classification, sid, etc.) If you find yourself wishing you could have a way to filter the alerts you receive, please let us know so we can begin adding stuff into our next release. And of course, any bugs you find would be nice to know, too. Send any bug report to support () mtgroup com. Thanks, Mark Mark.Scott () mtgroup com -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Romulo M. Cholewa Sent: Monday, January 27, 2003 10:05 PM To: snort-users () lists sourceforge net Subject: [Snort-users] sending alerts by email / active response Win2K system [RMC-J7FLJI4] Hi All, Sorry about these bunch of newbie questions. I'm in the path of evaluating snort, and it's being used on Windows 2000 Server. Everything is running really smooth. I had a BSOD, but I think it's related to the packet capture driver version. I would like to ask experienced snort users, if there are any ways of emailing some alerts (maybe a perl script of some sort that would parse the alert.ids file and send emails if it finds a specific alert). Also if there are any ways of automating the process of filtering out dynamically some kinds of attacks. I already know that it will not be easy with Windows 2000, but maybe snort can be used together with some firewall / filtering product available. Currently using Zone Alarm Pro. If these things are possible, I would like to thank in advance if someone could point me to the right direction. Thanks again, Romulo M. Cholewa Home : http://www.rmc.eti.br Forum: http://zeus.rmc.eti.br/forum PGP Keys Available @ website. "Those who make peaceful revolution impossible will make violent revolution inevitable." -- JFK. ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld =omething 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FW: sending alerts by email Mark Scott (Jan 29)