OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Wirth, Jeff (WirthJeDNB.com)
Date: Fri May 03 2002 - 11:25:36 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    From: Alwin Raymundo [mailto:alrayworldyahoo.com]
    > Hi Jeff,

    Hello Alwin...

    >
    > I'm reading your response regarding the "Alerting
    > snort using swatch". Im very interested regarding
    > sending an email or page to my RIM.
    >
    > I look at the snort FAQ but I cant find detailed
    > information regarding ATTACK RESPONSE I know this
    > alert will not create a false positive alert.
                 ^^^
    Well, I wouldn't go that far...I've had a *few* (luckily not at 2:00 am, yet
    ;-), but I am willing to live with this..

    >
    > Can you give me some direction or some sort of how to.

    If you are thinking about swatch as a solution and it's not the only one,
    check-out...

    http://www.oit.ucsb.edu/~eta/swatch/

    http://rr.sans.org/sysadmin/swatch.php

    http://www.enteract.com/~lspitz/swatch.html

    http://www.cert.org/security-improvement/implementations/i042.01.html

    > Do I need to add some parameters to
    > attack-response.rules?

    Nope. Swatch will monitor your syslog entries looking for entries that you
    define. If it makes a match it will react as you instruct it to, i.e.
    e-mail your pager. Which means you need to be logging Snort to syslog..
    http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.1 , also check
    your local man page for syslog and syslogd for additional information (you
    are running *nix I hope).

    Side Note:.....I've seen too many people using commercial NIDS getting
    paged/e-mail on all sorts of attack stimulus (I think this is why e-mail
    filters where created). And why, does attack stimulus == compromise? not
    quite. Well then, does response == compromise? maybe. In short, response
    to stimulus is either black or white, it's is either what you expected or it
    isn't. And it's the unexpected we need to be concerned with...

    Well have to go...My pager just went off ;-)

    Hope this helps,

    - Jeff

    _______________________________________________________________

    Have big pipes? SourceForge.net is looking for download mirrors. We supply
    the hardware. You get the recognition. Email Us: bandwidthsourceforge.net
    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users