From: Tom Sevy [mailto:tsevyepx.com]

> I am not asking how to alert from snort.
>
> But rather, if anyone has setup alerting (pager, for example)
> from snort,
> how did you go about determining what you wanted to be alerted on?
>

With the help of "swatch" I get paged on a few alerts, including...

 - ATTACK RESPONSES http dir listing
 - ATTACK RESPONSES command completed
 - ATTACK RESPONSES command error
 - ATTACK RESPONSES directory listing
 - ATTACK RESPONSES file copied ok
 - and a few custom ones...like HTTP_SERVER any -> any tftp..

All the alerts that generate pages are based on "response" rather then
"stimulus"...

I can't tell you this method is 100% fool proof (i.e. false positives, etc),
but it's close. ;-)
 
> My management has asked a couple of times, and I have (somewhat
> insubordinately) said absolutely not due to the sheer number
> of alerts that
> are logged by snort.

Hold your ground! Here's an idea... set something up to page you every time
you see an alert for cmd.exe or root.exe (any worm related IIS attack will
do). Then give your pager to your boss for about a hour or so....;-)

>
> If there is anyone that has done this, I would be very
> interested in hearing
> from you.
>

Hope this helps,

- Jeff

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidthsourceforge.net
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]