Re: Alerting in near-real-time

[David.Ryan () Quintiles com]

Martin,

Thanks for the reply.  It does look like I overlooked the distinction 
between logging and alerting in the product.  Is there a good guide 
somewhere that can outline the distinction between the two ?  I went on 
the Sourcefire 'Building & Operating' course recently but honestly didn't 
pick up the distinction in the course material.

I understood that snort matched packets against rules and if it was 
interesting (i.e. a match) caused the detail to be logged and if it wasn't 
interesting just did nothing.  I didn't pick up that it could log *or* 
alert, presumably depending on the rule definition.  This may well be 
covered in some of the rule documentation, but I'm still trying to get 
snort to generate SNMP or SMTP alerts before moving on to understanding 
the way the rules work.  Maybe I need to read the rules stuff first.

I had a look at swatch and installed it, but it looks like it comes 
config-free.  I don't mind spending time trying to work out what the 
config should be, but are there any snort-specific config files around ?

Thanks,

David
=================================
David Ryan
IT Security Engineer, Global IT Security
Quintiles, Global IT - Infrastructure, QDUB

david.ryan () quintiles com
v:  +353-1-819-5186, GMT+0
m: +353-87-124-9108
=================================



Martin Roesch <roesch () sourcefire com> 
10/05/2007 16:31

To
David.Ryan () Quintiles com
cc
snort-users () lists sourceforge net
Subject
Re: [Snort-users] Alerting in near-real-time






-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Snort has two output facilities, alerting and logging.  It sounds 
like you've got the logging facility pretty much figured out but you 
haven't quite gotten the alerting part yet.

When you start up a Snort instance, you can setup both the logging 
output option (like unified) as well as the alerting output option. 
Generally if you want real-time alerts you can either setup unified 
alerting to go with unified logging and have a second instance of 
Barnyard running to process the alert data and inform you via your 
selected method or you can go direct to one of the other alerting 
output facilities.

The easy answer is to send alerts someplace like syslog and use a 
syslog monitor like swatch to inform you via email when an even that 
you're interested has happened.  That way you can be pretty specific 
about what kinds of alerts you get informed about immediately and 
which ones are lower priority (i.e. in the database).

Another option is to use a monitor like sguil that'll give you a real- 
time view into the database, but that's a little more complicated to 
get setup while at the same time being a lot more useful than syslog...

                 -Marty

On May 10, 2007, at 10:24 AM, David.Ryan () Quintiles com wrote:

> Thanks to all on the list for their help to date.
>
> I am still trying to get my head around something which I still 
> can't understand in the overall snort model and I'm hoping someone 
> can set me straight on what I'm missing (or what I'm assuming 
> incorrectly).  I may have asked this to the list before, but I 
> can't find it.  Apologies if I'm asking the same question again.
>
> What I have got so far . . .  snort sniffs packets, matches those 
> packets against rules and can log the results via a variety of 
> output plugins to various repositories.  It can log directly to a 
> variety of databases, but from an optimisation point of view it is 
> better to use unified output, pass that to something like barnyard 
> and have *it* log to the database.  Net result is that events are 
> logged in the database.  This appears to be the end of snorts 
> involvement in the process from what I can see.
>
> With the data now in the database something else needs to process 
> it further if any value is to come out of the data.  There are 
> various apps such as BASE, snortnotify, snortsnarf, etc .. . . 
> which will either summarise the data and mail it out or else 
> present it via a webpage for analysis.  The problem I'm thinking of 
> is that this is fine for trending or where there is someone looking 
> at the data to review recent traffic, but I don't see how this can 
> provide any sort of near-real-time alerting.
>
> Say for example I am happy to look through reports every morning at 
> 0900 to see what happened yesterday, but I *really* *really* want 
> to get an SNMP or SMTP alert when rule # 3423 is triggered or the 
> string "bad stuff" is spotted.  What do people use for this type of 
> scenario ?  I understand that it would probably involve running a 
> query against the database every X minutes and acting on the 
> results of the query, but I can't understand how there aren't a set 
> of apps out there (or at least ones I can find) that do this type 
> of thing as I would have thought it was a common requirement.
>
> David
> =================================
> David Ryan
> IT Security Engineer, Global IT Security
> Quintiles, Global IT - Infrastructure, QDUB
>
> david.ryan () quintiles com
> v:  +353-1-819-5186, GMT+0
> m: +353-87-124-9108
> =================================********************** IMPORTANT-- 
> PLEASE READ ************************ This electronic message, 
> including its attachments, is COMPANY CONFIDENTIAL and may contain 
> PROPRIETARY or LEGALLY PRIVILEGED information. If you are not the 
> intended recipient, you are hereby notified that any use, 
> disclosure, copying, or distribution of this message or any of the 
> information included in it is unauthorized and strictly prohibited. 
> If you have received this message in error, please immediately 
> notify the sender by reply e-mail and permanently delete this 
> message and its attachments, along with any copies thereof. If this 
> electronic message contains a zipped attachment and you do not have 
> a decompression tool, you may download unZIP (free of cost) from: 
> http://www.mk-net-work.com/us/uz/unzip.htm. Alternatively, you may 
> request that the attachment be resent in an uncompressed format. 
> Thank you. 
> ********************************************************************** 
> **
> ---------------------------------------------------------------------- 
> ---
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/ 
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFGQzrOqj0FAQQ3KOARAg7jAJ0dMa5Mj7poECsWna7kw1IiYBgIoQCeOIgW
TqF9Yn7Ewe3lyYlIqVhkJPo=
=n8vr
-----END PGP SIGNATURE-----


**********************  IMPORTANT--PLEASE READ  ************************
This electronic message, including its attachments, is COMPANY CONFIDENTIAL
and may contain PROPRIETARY or LEGALLY PRIVILEGED information.  If you are 
not the intended recipient, you are hereby notified that any use, disclosure,
copying, or distribution of this message or any of the information included
in it is unauthorized and strictly prohibited.  If you have received this
message in error, please immediately notify the sender by reply e-mail and
permanently delete this message and its attachments, along with any copies
thereof. If this electronic message contains a zipped attachment and you do
not have a decompression tool, you may download unZIP (free of cost) from:
http://www.mk-net-work.com/us/uz/unzip.htm. Alternatively, you may request
that the attachment be resent in an uncompressed format.        Thank you. 
************************************************************************

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users