Re: Real Time Alert and Variables

[Martin Holste <mcholste () gmail com>]

I'll speak up regarding ELSA, as the open source project owner.  You can
monitor logs (like Snort alerts) very easily for generic things like
"trojan" or "exploit kit" or more advanced queries which mix proxy logs
with Snort alerts to find correlated alerts like: "user_agent:java
groupby:srcip | subsearch(sig_msg:trojan)" and then send that to a
connector, like email alerts, which is built-in.  You can also easily write
your own plugin in a few lines of Perl (or whatever language you want, then
invoke from Perl) to do more advanced things, like shutdown ports, login to
web apps, etc.  If you want, you can post your specific use case over on
the ELSA mailing list (enterprise-log-search-and-archive.googlegroups.com)
and I'll write the plugin for you.


On Thu, Feb 7, 2013 at 11:11 AM, Nicholas Horton <fivetenets () me com> wrote:

> Thanks Jeremy. Thanks James.
>
> I take a look at them.
>
> Nick
>
> On Feb 7, 2013, at 12:01 PM, "Lay, James" <james.lay () wincofoods com>
> wrote:
>
> > -----Original Message-----
> > From: Jeremy Hoel [mailto:jthoel () gmail com]
> > Sent: Thursday, February 07, 2013 9:50 AM
> > To: Nicholas Horton
> > Cc: Michael Steele; Snort Users
> > Subject: Re: [Snort-users] Real Time Alert and Variables
> >
> > You might want to check out ELSA and greylog.  We use greylog to get
> > emails from logs that go to it.  They are kind of  log viewers that
> > are both getting better.
> >
> >
> >
> >
> > WOTS (perl) and SEC (Simple Event Correlator) come to mind as well.
> >
> > James
> ------------------------------------------------------------------------------
> > Free Next-Gen Firewall Hardware Offer
> > Buy your Sophos next-gen firewall before the end March 2013
> > and get the hardware for free! Learn more.
> > http://p.sf.net/sfu/sophos-d2d-feb
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!