Snort mailing list archives

RE: Best real-time alerting tool

From: Fraser Hugh <hugh_fraser () dofasco ca>
Date: Thu, 6 Jun 2002 09:58:32 -0400

As is often the case, it depends upon how much budget you have to spend on
the solution. There are very good commercial solutions (NetCool is one I've
seen in action; expensive, but very comprehensive and would do everything
you've asking for).

On the assumption that you're using Snort because it's both an excellent
tool and inexpensive to deploy, I'll recommend ACID as an analysis and
real-time display tool. But I prefer exception reporting, so I've configured
Snort to log to a database, and have developed some scripts and triggers to
watch events as they occur and page/email me if I've flagged them in an
additional database table. Nothing terribly sophisticated. Paging is handled
using Hylafax. I've also written some simple perl scripts to incorporate
SNMP events from a commercial IDS we're using, and a syslog handler to
process W2K and NT events forwarded through a syslog service. These
non-Snort events all get munged and inserted into the database to be
analyzed by ACID.

If Snort is configured to log to a database, it will support multiple
sensors, and ACID can be used to some correlation. If, by correlation, you
mean more sophisticated functions to do event reduction, suppression, etc.,
then there's not much  non-commercial software available. SEC (Simple Event
Correlation) can do some of this, but it's not well integrated into other
tools. I'm currently playing with some statistical analysis (control chart
theory) to watch for changes in behaviour, and have good results sifting
through the thousands of events I see each day to pick out the handful of
significant things.

Hope this helps.


I'm starting research for the best real time alerting tool 
for Snort and
want to get feedback from everyone. I'm looking for the 
following features,
can anyone recommend a product or products? I need these features:

*     Real time window where I can watch alerts as they occur
*     Real time alerting option via email and/or pager for 
alerts I choose
*     Best tool for correlation and historical analysis of data across
multiple Snort sensors

Thanks!

Paul Sheahan
Manager of Information Security
Priceline.com
paul.sheahan () priceline com



_______________________________________________________________


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Best real-time alerting tool Sheahan, Paul (PCLN-NW) (Jun 04)
- RE: Best real-time alerting tool Don (Jun 04)
- <Possible follow-ups>
- RE: Best real-time alerting tool Tom Sevy (Jun 05)
- RE: Best real-time alerting tool Sheahan, Paul (PCLN-NW) (Jun 05)
- Re: Best real-time alerting tool CJATeck (Jun 05)
- RE: Best real-time alerting tool Ryan Hill (Jun 05)
  - icmp i want to ignore Don (Jun 05)
    - Re: icmp i want to ignore Steve Scott (Jun 05)
    - Re: icmp i want to ignore Erek Adams (Jun 05)
- RE: Best real-time alerting tool Fraser Hugh (Jun 06)
- RE: Best real-time alerting tool Fraser Hugh (Jun 07)
- RE: Best real-time alerting tool John Ruff (Jun 09)