Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Alerting in near-real-time

from [David . Ryan] Network Security [Permanent Link]
Subject: Re: [Snort-users] Alerting in near-real-time
Date: Fri, 11 May 2007 11:55:50 +0100 
Paul/Bamm,

Thanks for the details.  I'm working through the documentation and 
*trying* my best to understand the model used.

Right now I am trying to work out what needs to be where in my 
'distributed' model - I have a central mysql server which can receive 
logs/alerts from a small number of snort probes.

I have added the sguil database to the mysql server.

I am shortly going to try getting the probes to log unified outout to the 
sguil database.  Does this mean that I no longer need to log to the snort 
database, or is this still required for other things like snortreport and 
base.  Or do I just repoint the base config at the sguil database ?

Thanks,

David
=================================
David Ryan
IT Security Engineer, Global IT Security
Quintiles, Global IT - Infrastructure, QDUB

david.ryan@quintiles.com
v:  +353-1-819-5186, GMT+0
m: +353-87-124-9108
=================================



"Paul Halliday" <paul.halliday@gmail.com> 
11/05/2007 12:31

To
"David.Ryan@quintiles.com" <David.Ryan@quintiles.com>
cc
snort-users@lists.sourceforge.net
Subject
Re: [Snort-users] Alerting in near-real-time






David,

You can easily be up and running in under ten minutes. As Bamm said, Sguil 
will do most of the work for you on startup. 

All you need to do is modify the configuration scripts to suit your 
environment. See the install docs. 

As for p0f, thats a quick install.

I wouldn't worry about SANCP for now (you will see reference to it in the 
config files) you can easily add that functionality after you have seen 
what Sguil has to offer. 

If you have any problems you can get free premium support from the author 
himself. Just visit #snort-gui on irc.freenode.net and ask for Bamm

;)

On 5/10/07, David.Ryan@quintiles.com <David.Ryan@quintiles.com> wrote:

Paul, 

Thanks for the reply.  I have looked at sguil (following your post) and I 
think it may cover what I am looking for, but the install documentation 
indicates relations to lots of other packages such as NSM and p0f and 
includes a lot of detail on setting up the snort install, logging to what 
looks like another database (i.e. a sguil database rather than the initial 
snort one which is included in the snort documentation). 

I don't mind re-installing snort from scratch if necessary, but I'm trying 
towork forward from an existing snort install and add this alerting 
function.  Do you know of any documentation covering adding sguil to an 
existing install, or whether I just need the exisiting database ? 

Thanks, 

David 
=================================
David Ryan
IT Security Engineer, Global IT Security
Quintiles, Global IT - Infrastructure, QDUB

david.ryan@quintiles.com
v:  +353-1-819-5186, GMT+0
m: +353-87-124-9108
================================= 


"Paul Halliday" <paul.halliday@gmail.com> 
10/05/2007 16:48 


To
"David.Ryan@quintiles.com" <David.Ryan@quintiles.com> 
cc
snort-users@lists.sourceforge.net 
Subject
Re: [Snort-users] Alerting in near-real-time








http://sguil.sourceforge.net/


On 5/10/07, David.Ryan@quintiles.com < David.Ryan@quintiles.com> wrote:


Thanks to all on the list for their help to date.

I am still trying to get my head around something which I still can't
understand in the overall snort model and I'm hoping someone can set me
straight on what I'm missing (or what I'm assuming incorrectly).  I may 

have

asked this to the list before, but I can't find it.  Apologies if I'm 

asking

the same question again.

What I have got so far . . .  snort sniffs packets, matches those 

packets

against rules and can log the results via a variety of output plugins to
various repositories.  It can log directly to a variety of databases, 

but

from an optimisation point of view it is better to use unified output, 

pass

that to something like barnyard and have *it* log to the database.  Net
result is that events are logged in the database.  This appears to be 

the

end of snorts involvement in the process from what I can see.

With the data now in the database something else needs to process it 

further

if any value is to come out of the data.  There are various apps such as
BASE, snortnotify, snortsnarf, etc .. . . which will either summarise 

the

data and mail it out or else present it via a webpage for analysis.  The
problem I'm thinking of is that this is fine for trending or where there 

is

someone looking at the data to review recent traffic, but I don't see 

how

this can provide any sort of near-real-time alerting.

Say for example I am happy to look through reports every morning at 0900 

to

see what happened yesterday, but I *really* *really* want to get an SNMP 

or

SMTP alert when rule # 3423 is triggered or the string "bad stuff" is
spotted.  What do people use for this type of scenario ?  I understand 

that

it would probably involve running a query against the database every X
minutes and acting on the results of the query, but I can't understand 

how

there aren't a set of apps out there (or at least ones I can find) that 

do

this type of thing as I would have thought it was a common requirement.

David
=================================
 David Ryan
 IT Security Engineer, Global IT Security
 Quintiles, Global IT - Infrastructure, QDUB

 david.ryan@quintiles.com
 v:  +353-1-819-5186, GMT+0
 m: +353-87-124-9108
 =================================**********************
IMPORTANT--PLEASE READ ************************
This electronic message, including its attachments, is COMPANY 

CONFIDENTIAL

and may contain PROPRIETARY or LEGALLY PRIVILEGED information. If you 

are

not the intended recipient, you are hereby notified that any use,
disclosure,
copying, or distribution of this message or any of the information 

included

in it is unauthorized and strictly prohibited. If you have received this
message in error, please immediately notify the sender by reply e-mail 

and

permanently delete this message and its attachments, along with any 

copies

thereof. If this electronic message contains a zipped attachment and you 

do

not have a decompression tool, you may download unZIP (free of cost) 

from:

http://www.mk-net-work.com/us/uz/unzip.htm. Alternatively,
you may request
that the attachment be resent in an uncompressed format. Thank you.
************************************************************************





-------------------------------------------------------------------------

This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



**********************  IMPORTANT--PLEASE READ  ************************
This electronic message, including its attachments, is COMPANY 
CONFIDENTIAL
and may contain PROPRIETARY or LEGALLY PRIVILEGED information.  If you are 


not the intended recipient, you are hereby notified that any use, 
disclosure,
copying, or distribution of this message or any of the information 
included
in it is unauthorized and strictly prohibited.  If you have received this

message in error, please immediately notify the sender by reply e-mail and
permanently delete this message and its attachments, along with any copies
thereof. If this electronic message contains a zipped attachment and you 
do

not have a decompression tool, you may download unZIP (free of cost) from:
http://www.mk-net-work.com/us/uz/unzip.htm
.. Alternatively, you may request
that the attachment be resent in an uncompressed format.        Thank you. 

************************************************************************



**********************  IMPORTANT--PLEASE READ  ************************
This electronic message, including its attachments, is COMPANY CONFIDENTIAL
and may contain PROPRIETARY or LEGALLY PRIVILEGED information.  If you are 
not the intended recipient, you are hereby notified that any use, disclosure,
copying, or distribution of this message or any of the information included
in it is unauthorized and strictly prohibited.  If you have received this
message in error, please immediately notify the sender by reply e-mail and
permanently delete this message and its attachments, along with any copies
thereof. If this electronic message contains a zipped attachment and you do
not have a decompression tool, you may download unZIP (free of cost) from:
http://www.mk-net-work.com/us/uz/unzip.htm. Alternatively, you may request
that the attachment be resent in an uncompressed format.        Thank you. 
************************************************************************


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Alerting in near-real-time, Paul Halliday
Next by Date:  Re: [Snort-users] EasyIDS - A Snort/Centos/BASE install cd., Patrick S. Harper
Previous by Thread:  Re: [Snort-users] Alerting in near-real-time, Paul Halliday
Next by Thread:  Re: [Snort-users] Alerting in near-real-time, Bamm Visscher
Indexes:  [Date] [Thread] [Top] [All Lists]