Snort Paging.
Results 1 to 7 of 7

Thread: Snort Paging.

  1. #1
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867

    Question Snort Paging.

    We are currently running Snort & ACID to monitor our DMZ. One thing I would like to do, and my techies here aren't sure how to do it, is send out a page if an attacked is detected. Ideally, I would like it configured so if multiple "Unique Alerts" are detected coming from the same IP address in a fixed period of time (say 5 or 10 minutes) then issue a page to one or more pagers.

    Has anyone set-up snort in this way and if so, could you please give me some ideas on how to tackle this.

    Cheers & Thanks
    DjM

  2. #2
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    i don't know how to set-up snort like that, but what aboiut the paging app...

    BASIC
    Code:
    open "COM1" for output as #1
     print #1, "ATDT 555-1234"
     sleep 20
     print #1, "ATDT 31337*911"
    close #1
    this is obviously crude, but if you do want anyhelp with that part... i'd be willing to spiffy that code up a bit (what platform?) hope i can help

    i remember posting a tutorial that i wrote on using Hayes Commands, etc...
    the tutorial should be enough to explain...

    i'll look up some stuff on snort.org too...
    yeah, I\'m gonna need that by friday...

  3. #3
    Member
    Join Date
    Feb 2003
    Posts
    79
    If you use that code I believe you will also need the Sleep API which is

    Code:
    Public Declare Sub Sleep Lib "kernel32" Alias "Sleep" (ByVal dwMilliseconds As Long)
    - Runner -

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324

    Re: Snort Paging.

    Originally posted here by DjM
    We are currently running Snort & ACID to monitor our DMZ. One thing I would like to do, and my techies here aren't sure how to do it, is send out a page if an attacked is detected. Ideally, I would like it configured so if multiple "Unique Alerts" are detected coming from the same IP address in a fixed period of time (say 5 or 10 minutes) then issue a page to one or more pagers.

    Has anyone set-up snort in this way and if so, could you please give me some ideas on how to tackle this.

    Cheers & Thanks
    Umm.. What platform are you running snort on?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867

    Re: Re: Snort Paging.

    Originally posted here by MsMittens


    Umm.. What platform are you running snort on?
    Hi MsMittens, were running it on Linux (Red Hat) not sure what version, but if you need it I'll check.

    Thanks
    DjM

  6. #6
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    No.. That's ok. I've been searching on and off over the weekend for an answer and no one seems to have anything specific. I've heard Big Brother has a plug-in of some type but it would be better if there was a simple script. The only thing I could think of was if you created a simple PERL script that dialed a number (have a simple modem that only dials out) and sent a specific code to indicate the type of breach (Obviously you don't want to be paged for simple scans or code red).

    And no.. I don't have the code.. =P
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  7. #7
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by MsMittens
    but it would be better if there was a simple script.
    Thanks, and your right, a 'simple script' is what I was looking for. I have seen a few ideas using Swatch on the snort logs, but I haven't really found anything specific.
    Thanks again, if anything pop's to mind, let me know.


    Cheers:
    DjM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •