An alchemists view from the bar

Network Security Alchemy

Posts Tagged ‘alerts

TweetYard – Sourcefire and Snort alerts to Twitter

with 4 comments

Update: – You can download tweetyard here.

There has been some of discussion of late on the snort-* lists of late regarding Unified alerting vs direct DB access.

I stopped storing events in a DB years back when I stopped using ACID (and yes that was back-in-the-day before BASE came into being). My personal Snort requirements are pretty simple and fast output has always worked well for me linked with a load of swatch-foo and custom perl scripts. After hanging my head in shame for not converting to unified yet (cobblers children clearly have no shoes over here) I thought it would be wise to put some effort in.

I used to receive all of my Snort IDS events via email, but email is *so* web 1.0. So I thought I would hook into Twitter for real-time alerting 🙂

So far, so good, and it only took about an hour to build. Kudos to Jason Brvenik for his snort-unified.pm and sample barnyard replacement, it was a good base for what I wanted to hack together. Because I put this together more than fun more than anything else, feel free to follow a censored Twitter feed of my IPS events (If you didn’t have enough to deal with already).  I have blanked the IPs of my protected systems in an attempt to raise the smarts-to-abuse bar up 0.2 inches above short skiddie tall.

I will upload the code when I get a spare couple of minutes, but as I will be attached to the Sourcefire booth @ Infosecurity London for the next three days it may take a while. Hooking it into Sourcefire’s Estreamer is also on the cards the next time I get some down-time.

If anyone is at the show, feel free to drop by the Sourcefire booth and say hi (and to bring me a Coffee at the same time).

-Leon

Written by leonward

April 27, 2009 at 6:35 pm

Posted in Security, snort, Sourcefire, Uncategorized

Tagged with , , ,

Formatted Snort alerts in your e-mail

with 2 comments

… As if you don’t have enough email to read as it is.

People commonly expect Snort to provide many systems that are well out of scope of it’s design, including :

  • Event analysis UI’s
  • Real-time e-mail alerts
  • Graphical configuration tools
  • The kitchen sink
  • Reporting functions

The list goes on …

There are many external tools that provide all of these functions, please remember Snort is a high performance network intrusion detection/prevention engine and not a complete IPS solution alone. Many commercial offerings use Snort as the detection engine but bundle their own management and reporting framework around it, including <blatent plug> Sourcefire </blatant plug>.

Swatch is the most commonly used light-weight method of performing an active response when Snort raises an event, this included sending email. When I teach Snort classes I find that students quickly get to grip with how to use swatch, but still need a hand getting a formatted email out of the system.

To make this a more simple task, i threw together this simple script to provide nice email alerts with impact and advice on how to react to the event.

Let me know if you find it useful.

Written by leonward

May 24, 2008 at 6:02 pm

Posted in Security

Tagged with ,