Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] Extracting reports per IP address

from [Landon Stewart | Superb Internet Corp.] Network Security [Permanent Link]
Subject: [Snort-users] Extracting reports per IP address
Date: Tue, 14 Nov 2006 14:31:15 -0800 
We provide shared hosting, colocation services and server rental.  We need
to enforce our AUP more proactively and detect malicious outgoing traffic
before we get complaints about it.

We are mirroring outgoing traffic for 3 quite large VLANS to a machine with
a GigE interface.  The machine is running snort.  I have not even come close
to figuring out which rules we want to load yet.

What I want to do to be able to generate a report on a regular basis looking
for all of our IP addresses that were the source of a triggered event and
report those events to the customer responsible for that server.

While BASE provides a good way of viewing whats in the snort database it
does not do what I need.  I'm having a lot of trouble finding information on
reporting because the snort database, while optimized for speed, appears to
be quite complex.

On regular intervals I want to:
- Get all the source IP addresses and discard those that do not belong to us
since the last run
- For each IP address that has one or more event I want to list all the
events for that IP address
- I will then open a ticket on the responsible customer's account with this
information alerting them to the possibility of a policy violation or
security issue with their server.

Seems pretty straightforward but how can I get this information in a
readable report something like what is produced with the "Email Alert(s)
(full)" output included in BASE?

--
Landon Stewart
Superb Internet Corporation
Toll Free: 888-354-6128 x 4199 (US/Canada)
International: 604-638-2525 x 4199
CELEBRATING 10 YEARS OF HOSTING EXCELLENCE!  1996 - 2006
Web hosting and more "Ahead of the Rest": http://www.superb.net

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Is there any documentation showing how to write a snort plugin?, Martin Roesch
Next by Date:  Re: [Snort-users] Extracting reports per IP address, Dev Anand
Previous by Thread:  [Snort-users] Seattle Snort User Group meets Tuesday, Nov 14 7:00 PM @ SSCC room RAH304 topic Sguil, James Affeld
Next by Thread:  Re: [Snort-users] Extracting reports per IP address, Dev Anand
Indexes:  [Date] [Thread] [Top] [All Lists]