Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort and real-time alerting

From: "Jeronimo L. Cabral" <jelocabral () gmail com>
Date: Mon, 28 May 2012 13:14:34 -0300
Coming back to real-time monitoring of Snort, my Snort generates a lot
of snort log files under /var/log/snort, they have different names.

What can I do to monitor Snort if the file name changes ???

Thanks

On Thu, May 24, 2012 at 4:40 PM, JJC <cummingsj () gmail com> wrote:

I understand what you are saying, and in theory it can certainly
provide some insight into attacks against what it is that "you" are
"trying" to "protect".. that said.. why are you even allowing mysql
from the outside in your example, seems like a bad practice in the
first place, this is the kind of thing that generic firewalls and
logging thereof are for, no?  That type of thing notwithstanding, if
you can turn on more rules and look at traffic that may be "real"
attack traffic against things that "you" "don't" have, and still be
able to manage your alert volume, then more power to ya, I say if it
works for you then stick with it.. certainly not my methodology though
and I don't see how it's scalable in an environment with significant
traffic volume and a potentially large attack surface.

JJC

On Thu, May 24, 2012 at 10:09 AM, waldo kitty <wkitty42 () windstream net> wrote:

On 5/23/2012 15:45, JJC wrote:

Tune that system..


agreed...


I can fairly safely assume that if you have 20,000
rules enabled, you are looking for attacks against stuff that you
don't have.


that's a bad thing? if "you" attempt to see if "i" have mysql accessible from
the outside by trying to throw an attack at it, "i" want you blocked...
period... even if "i" never use mysql ever... the same statement applies if
"you" throw wordpress hacks at my network and "i'm" not running any dynamic
pages at all... or VOIP SIP scans... or SOLARIS telnet buffer overruns... etc...

"you" tried something dirty... that's all the proof needed in my book...
watching only for traffic that might affect the stuff you do run is allowing a
whole mash of other unnecessary traffic into your network that is attempting to
attack stuff you don't run... why allow any bad traffic at all? would you like
someone to test your house/apartment front door all the time every day to see if
it is unlocked or would you do something about it? ;)



JJC

On Wed, May 23, 2012 at 8:51 AM, Jeronimo L. Cabral
<jelocabral () gmail com>  wrote:

Something else: suppose I use logsurfer/swatch/logwatch to alert in
real time the Snorts events. Actually I have near 5 events per minute.

What is the criteria to take just a few number of critical events of
Snort ??? Because I have 20.000 signatures...

On Wed, May 23, 2012 at 11:40 AM, Jeronimo L. Cabral
<jelocabral () gmail com>  wrote:

What about Swatch ??? Is it more appropriate ???

On Wed, May 23, 2012 at 11:13 AM, Lay, James<james.lay () wincofoods com>  wrote:

-----Original Message-----
From: Jeronimo L. Cabral [mailto:jelocabral () gmail com]
Sent: Wednesday, May 23, 2012 8:10 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort and real-time alerting

Dear, I have a Snort 2.9 with Base running OK, but I need a real time
alerting mechanism via email if possible.

How can I do that ??? Any extra module to use in that way ???

Special thanks

JeLo


Log to fast alert then use wots/logsurfer/logwatch to tail/watch the
file and email out.  Assuming linux/BSD/OSX.

James



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: