An alchemists view from the bar

Network Security Alchemy

TweetYard – Sourcefire and Snort alerts to Twitter

with 4 comments

Update: – You can download tweetyard here.

There has been some of discussion of late on the snort-* lists of late regarding Unified alerting vs direct DB access.

I stopped storing events in a DB years back when I stopped using ACID (and yes that was back-in-the-day before BASE came into being). My personal Snort requirements are pretty simple and fast output has always worked well for me linked with a load of swatch-foo and custom perl scripts. After hanging my head in shame for not converting to unified yet (cobblers children clearly have no shoes over here) I thought it would be wise to put some effort in.

I used to receive all of my Snort IDS events via email, but email is *so* web 1.0. So I thought I would hook into Twitter for real-time alerting 🙂

So far, so good, and it only took about an hour to build. Kudos to Jason Brvenik for his snort-unified.pm and sample barnyard replacement, it was a good base for what I wanted to hack together. Because I put this together more than fun more than anything else, feel free to follow a censored Twitter feed of my IPS events (If you didn’t have enough to deal with already).  I have blanked the IPs of my protected systems in an attempt to raise the smarts-to-abuse bar up 0.2 inches above short skiddie tall.

I will upload the code when I get a spare couple of minutes, but as I will be attached to the Sourcefire booth @ Infosecurity London for the next three days it may take a while. Hooking it into Sourcefire’s Estreamer is also on the cards the next time I get some down-time.

If anyone is at the show, feel free to drop by the Sourcefire booth and say hi (and to bring me a Coffee at the same time).

-Leon

Advertisements

Written by leonward

April 27, 2009 at 6:35 pm

Posted in Security, snort, Sourcefire, Uncategorized

Tagged with , , ,

4 Responses

Subscribe to comments with RSS.

  1. Get your own coffee, biatch!

    Meatpieandtatters

    April 27, 2009 at 10:58 pm

    • And nobody did come by with coffee for me.

      leonward

      May 5, 2009 at 9:01 am

  2. […] This post was Twitted by JoelEsler […]

    Twitted by JoelEsler

    April 28, 2009 at 3:20 pm

  3. […] TweetYard – Sourcefire and Snort alerts to Twitter « An alchemists view from the bar Probably about as useful as tweeting your OSSEC alerts…but still kind of cool. (tags: security snort alerts twitter) […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: