[Snort-users] Alerting in near-real-time

permalink · #1 (**permalink**) 05-10-2007

This is a multipart message in MIME format.
--===============1218402471==
Content-Type: multipart/alternative;
boundary="=_alternative 004E3CB9802572D7_="

This is a multipart message in MIME format.
--=_alternative 004E3CB9802572D7_=
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"

Thanks to all on the list for their help to date.

I am still trying to get my head around something which I still can't
understand in the overall snort model and I'm hoping someone can set me
straight on what I'm missing (or what I'm assuming incorrectly). I may
have asked this to the list before, but I can't find it. Apologies if I'm
asking the same question again.

What I have got so far . . . snort sniffs packets, matches those packets
against rules and can log the results via a variety of output plugins to
various repositories. It can log directly to a variety of databases, but
from an optimisation point of view it is better to use unified output,
pass that to something like barnyard and have *it* log to the database.
Net result is that events are logged in the database. This appears to be
the end of snorts involvement in the process from what I can see.

With the data now in the database something else needs to process it
further if any value is to come out of the data. There are various apps
such as BASE, snortnotify, snortsnarf, etc . . . which will either
summarise the data and mail it out or else present it via a webpage for
analysis. The problem I'm thinking of is that this is fine for trending
or where there is someone looking at the data to review recent traffic,
but I don't see how this can provide any sort of near-real-time alerting.

Say for example I am happy to look through reports every morning at 0900
to see what happened yesterday, but I *really* *really* want to get an
SNMP or SMTP alert when rule # 3423 is triggered or the string "bad stuff"
is spotted. What do people use for this type of scenario ? I understand
that it would probably involve running a query against the database every
X minutes and acting on the results of the query, but I can't understand
how there aren't a set of apps out there (or at least ones I can find)
that do this type of thing as I would have thought it was a common
requirement.

David
=================================
David Ryan
IT Security Engineer, Global IT Security
Quintiles, Global IT - Infrastructure, QDUB

david.ryan@quintiles.com
v: +353-1-819-5186, GMT+0
m: +353-87-124-9108
=================================

********************** IMPORTANT--PLEASE READ ************************
This electronic message, including its attachments, is COMPANY CONFIDENTIAL
and may contain PROPRIETARY or LEGALLY PRIVILEGED information. If you are
not the intended recipient, you are hereby notified that any use, disclosure,
copying, or distribution of this message or any of the information included
in it is unauthorized and strictly prohibited. If you have received this
message in error, please immediately notify the sender by reply e-mail and
permanently delete this message and its attachments, along with any copies
thereof. If this electronic message contains a zipped attachment and you do
not have a decompression tool, you may download unZIP (free of cost) from:
http://www.mk-net-work.com/us/uz/unzip.htm. Alternatively, you may request
that the attachment be resent in an uncompressed format. Thank you.
************************************************** **********************

--=_alternative 004E3CB9802572D7_=
Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset="us-ascii"

 Thanks to all on the list for their
help to date.
 
 I am still trying to get my head around
something which I still can't understand in the overall snort model and
I'm hoping someone can set me straight on what I'm missing (or what I'm
assuming incorrectly).  I may have asked this to the list before,
but I can't find it.  Apologies if I'm asking the same question again.
 
 What I have got so far . . .  snort
sniffs packets, matches those packets against rules and can log the results
via a variety of output plugins to various repositories.  It can log
directly to a variety of databases, but from an optimisation point of view
it is better to use unified output, pass that to something like barnyard
and have *it* log to the database.  Net result is that events are
logged in the database.  This appears to be the end of snorts involvement
in the process from what I can see.
 
 With the data now in the database something
else needs to process it further if any value is to come out of the data.
 There are various apps such as BASE, snortnotify, snortsnarf, etc
... . . which will either summarise the data and mail it out or else present
it via a webpage for analysis.  The problem I'm thinking of is that
this is fine for trending or where there is someone looking at the data
to review recent traffic, but I don't see how this can provide any sort
of near-real-time alerting.
 
 Say for example I am happy to look through
reports every morning at 0900 to see what happened yesterday, but I *really*
*really* want to get an SNMP or SMTP alert when rule # 3423 is triggered
or the string "bad stuff" is spotted.  What do people use
for this type of scenario ?  I understand that it would probably involve
running a query against the database every X minutes and acting on the
results of the query, but I can't understand how there aren't a set of
apps out there (or at least ones I can find) that do this type of thing
as I would have thought it was a common requirement.
 
 David
 ================================= 
David Ryan 
IT Security Engineer, Global IT Security 
Quintiles, Global IT - Infrastructure, QDUB 
 
david.ryan@quintiles.com 
v:  +353-1-819-5186, GMT+0 
m: +353-87-124-9108 
=================================<pre>
********************** IMPORTANT--PLEASE READ ************************
This electronic message, including its attachments, is COMPANY CONFIDENTIAL
and may contain PROPRIETARY or LEGALLY PRIVILEGED information. If you are
not the intended recipient, you are hereby notified that any use, disclosure,
copying, or distribution of this message or any of the information included
in it is unauthorized and strictly prohibited. If you have received this
message in error, please immediately notify the sender by reply e-mail and
permanently delete this message and its attachments, along with any copies
thereof. If this electronic message contains a zipped attachment and you do
not have a decompression tool, you may download unZIP (free of cost) from:
http://www.mk-net-work.com/us/uz/unzip.htm. Alternatively, you may request
that the attachment be resent in an uncompressed format. Thank you.
************************************************** **********************

</pre>
--=_alternative 004E3CB9802572D7_=--

--===============1218402471==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
--===============1218402471==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
--===============1218402471==--

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode