Network Security: Detailed info on Re: [Snort-users] Alerting in near-real-time

Subject:	Re: [Snort-users] Alerting in near-real-time
Date:	Thu, 10 May 2007 21:50:31 +0100

Paul,

Thanks for the reply.  I have looked at sguil (following your post) and I 
think it may cover what I am looking for, but the install documentation 
indicates relations to lots of other packages such as NSM and p0f and 
includes a lot of detail on setting up the snort install, logging to what 
looks like another database (i.e. a sguil database rather than the initial 
snort one which is included in the snort documentation).

I don't mind re-installing snort from scratch if necessary, but I'm trying 
towork forward from an existing snort install and add this alerting 
function.  Do you know of any documentation covering adding sguil to an 
existing install, or whether I just need the exisiting database ?

Thanks,

David
=================================
David Ryan
IT Security Engineer, Global IT Security
Quintiles, Global IT - Infrastructure, QDUB

david.ryan@quintiles.com
v:  +353-1-819-5186, GMT+0
m: +353-87-124-9108
=================================



"Paul Halliday" <paul.halliday@gmail.com> 
10/05/2007 16:48

To
"David.Ryan@quintiles.com" <David.Ryan@quintiles.com>
cc
snort-users@lists.sourceforge.net
Subject
Re: [Snort-users] Alerting in near-real-time






http://sguil.sourceforge.net/

On 5/10/07, David.Ryan@quintiles.com <David.Ryan@quintiles.com> wrote:


Thanks to all on the list for their help to date.

I am still trying to get my head around something which I still can't
understand in the overall snort model and I'm hoping someone can set me
straight on what I'm missing (or what I'm assuming incorrectly).  I may

have

asked this to the list before, but I can't find it.  Apologies if I'm

asking

the same question again.

What I have got so far . . .  snort sniffs packets, matches those

packets

against rules and can log the results via a variety of output plugins to
various repositories.  It can log directly to a variety of databases,

but

from an optimisation point of view it is better to use unified output,

pass

that to something like barnyard and have *it* log to the database.  Net
result is that events are logged in the database.  This appears to be

the

end of snorts involvement in the process from what I can see.

With the data now in the database something else needs to process it

further

if any value is to come out of the data.  There are various apps such as
BASE, snortnotify, snortsnarf, etc .. . . which will either summarise

the

data and mail it out or else present it via a webpage for analysis.  The
problem I'm thinking of is that this is fine for trending or where there

is

someone looking at the data to review recent traffic, but I don't see

how

this can provide any sort of near-real-time alerting.

Say for example I am happy to look through reports every morning at 0900

to

see what happened yesterday, but I *really* *really* want to get an SNMP

or

SMTP alert when rule # 3423 is triggered or the string "bad stuff" is
spotted.  What do people use for this type of scenario ?  I understand

that

it would probably involve running a query against the database every X
minutes and acting on the results of the query, but I can't understand

how

there aren't a set of apps out there (or at least ones I can find) that

do

this type of thing as I would have thought it was a common requirement.

David
=================================
 David Ryan
 IT Security Engineer, Global IT Security
 Quintiles, Global IT - Infrastructure, QDUB

 david.ryan@quintiles.com
 v:  +353-1-819-5186, GMT+0
 m: +353-87-124-9108
 =================================**********************
IMPORTANT--PLEASE READ ************************
This electronic message, including its attachments, is COMPANY

CONFIDENTIAL

and may contain PROPRIETARY or LEGALLY PRIVILEGED information. If you

are

not the intended recipient, you are hereby notified that any use,
disclosure,
copying, or distribution of this message or any of the information

included

in it is unauthorized and strictly prohibited. If you have received this
message in error, please immediately notify the sender by reply e-mail

and

permanently delete this message and its attachments, along with any

copies

thereof. If this electronic message contains a zipped attachment and you

do

not have a decompression tool, you may download unZIP (free of cost)

from:

http://www.mk-net-work.com/us/uz/unzip.htm. Alternatively,
you may request
that the attachment be resent in an uncompressed format. Thank you.
************************************************************************

-------------------------------------------------------------------------

This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



**********************  IMPORTANT--PLEASE READ  ************************
This electronic message, including its attachments, is COMPANY CONFIDENTIAL
and may contain PROPRIETARY or LEGALLY PRIVILEGED information.  If you are 
not the intended recipient, you are hereby notified that any use, disclosure,
copying, or distribution of this message or any of the information included
in it is unauthorized and strictly prohibited.  If you have received this
message in error, please immediately notify the sender by reply e-mail and
permanently delete this message and its attachments, along with any copies
thereof. If this electronic message contains a zipped attachment and you do
not have a decompression tool, you may download unZIP (free of cost) from:
http://www.mk-net-work.com/us/uz/unzip.htm. Alternatively, you may request
that the attachment be resent in an uncompressed format.        Thank you. 
************************************************************************

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-users] Alerting in near-real-time, David . Ryan Re: [Snort-users] Alerting in near-real-time, Paul Halliday Re: [Snort-users] Alerting in near-real-time, David . Ryan <= Re: [Snort-users] Alerting in near-real-time, Bamm Visscher Re: [Snort-users] Alerting in near-real-time, Paul Halliday Re: [Snort-users] Alerting in near-real-time, David . Ryan Re: [Snort-users] Alerting in near-real-time, Bamm Visscher Re: [Snort-users] Alerting in near-real-time, Martin Roesch Re: [Snort-users] Alerting in near-real-time, David . Ryan

Previous by Date:	Re: [Snort-users] Alerting in near-real-time, David . Ryan
Next by Date:	Re: [Snort-users] Alerting in near-real-time, Bamm Visscher
Previous by Thread:	Re: [Snort-users] Alerting in near-real-time, Paul Halliday
Next by Thread:	Re: [Snort-users] Alerting in near-real-time, Bamm Visscher
Indexes:	[Date] [Thread] [Top] [All Lists]