Snort Paging.

Printable View

February 28th, 2003, 07:38 PM
DjM

Snort Paging.

We are currently running Snort & ACID to monitor our DMZ. One thing I would like to do, and my techies here aren't sure how to do it, is send out a page if an attacked is detected. Ideally, I would like it configured so if multiple "Unique Alerts" are detected coming from the same IP address in a fixed period of time (say 5 or 10 minutes) then issue a page to one or more pagers.

Has anyone set-up snort in this way and if so, could you please give me some ideas on how to tackle this.

Cheers & Thanks
February 28th, 2003, 07:52 PM
tampabay420

i don't know how to set-up snort like that, but what aboiut the paging app...

BASIC

Code:

open "COM1" for output as #1 print #1, "ATDT 555-1234" sleep 20 print #1, "ATDT 31337*911" close #1

this is obviously crude, but if you do want anyhelp with that part... i'd be willing to spiffy that code up a bit (what platform?) hope i can help :D

i remember posting a tutorial that i wrote on using Hayes Commands, etc...
the tutorial should be enough to explain...

i'll look up some stuff on snort.org too...
March 2nd, 2003, 12:12 AM
StreetRunner

If you use that code I believe you will also need the Sleep API which is

Code:

Public Declare Sub Sleep Lib "kernel32" Alias "Sleep" (ByVal dwMilliseconds As Long)
March 2nd, 2003, 12:14 AM
MrLinus

Re: Snort Paging.

Quote:

Originally posted here by DjM
We are currently running Snort & ACID to monitor our DMZ. One thing I would like to do, and my techies here aren't sure how to do it, is send out a page if an attacked is detected. Ideally, I would like it configured so if multiple "Unique Alerts" are detected coming from the same IP address in a fixed period of time (say 5 or 10 minutes) then issue a page to one or more pagers.

Has anyone set-up snort in this way and if so, could you please give me some ideas on how to tackle this.

Cheers & Thanks

Umm.. What platform are you running snort on?
March 3rd, 2003, 04:21 PM
DjM

Re: Re: Snort Paging.

Quote:

Originally posted here by MsMittens

Umm.. What platform are you running snort on?

Hi MsMittens, were running it on Linux (Red Hat) not sure what version, but if you need it I'll check.

Thanks
March 3rd, 2003, 04:44 PM
MrLinus

No.. That's ok. I've been searching on and off over the weekend for an answer and no one seems to have anything specific. I've heard Big Brother has a plug-in of some type but it would be better if there was a simple script. The only thing I could think of was if you created a simple PERL script that dialed a number (have a simple modem that only dials out) and sent a specific code to indicate the type of breach (Obviously you don't want to be paged for simple scans or code red).

And no.. I don't have the code.. =P
March 3rd, 2003, 04:50 PM
DjM

Quote:

Originally posted here by MsMittens
but it would be better if there was a simple script.

Thanks, and your right, a 'simple script' is what I was looking for. I have seen a few ideas using Swatch on the snort logs, but I haven't really found anything specific.
Thanks again, if anything pop's to mind, let me know.

Cheers: