Posts Tagged ‘alerts’
Update: – You can download tweetyard here.
There has been some of discussion of late on the snort-* lists of late regarding Unified alerting vs direct DB access.
I stopped storing events in a DB years back when I stopped using ACID (and yes that was back-in-the-day before BASE came into being). My personal Snort requirements are pretty simple and fast output has always worked well for me linked with a load of swatch-foo and custom perl scripts. After hanging my head in shame for not converting to unified yet (cobblers children clearly have no shoes over here) I thought it would be wise to put some effort in.
I used to receive all of my Snort IDS events via email, but email is *so* web 1.0. So I thought I would hook into Twitter for real-time alerting 🙂
So far, so good, and it only took about an hour to build. Kudos to Jason Brvenik for his snort-unified.pm and sample barnyard replacement, it was a good base for what I wanted to hack together. Because I put this together more than fun more than anything else, feel free to follow a censored Twitter feed of my IPS events (If you didn’t have enough to deal with already). I have blanked the IPs of my protected systems in an attempt to raise the smarts-to-abuse bar up 0.2 inches above short skiddie tall.
I will upload the code when I get a spare couple of minutes, but as I will be attached to the Sourcefire booth @ Infosecurity London for the next three days it may take a while. Hooking it into Sourcefire’s Estreamer is also on the cards the next time I get some down-time.
If anyone is at the show, feel free to drop by the Sourcefire booth and say hi (and to bring me a Coffee at the same time).
… As if you don’t have enough email to read as it is.
People commonly expect Snort to provide many systems that are well out of scope of it’s design, including :
- Event analysis UI’s
- Real-time e-mail alerts
- Graphical configuration tools
- The kitchen sink
- Reporting functions
The list goes on …
There are many external tools that provide all of these functions, please remember Snort is a high performance network intrusion detection/prevention engine and not a complete IPS solution alone. Many commercial offerings use Snort as the detection engine but bundle their own management and reporting framework around it, including <blatent plug> Sourcefire </blatant plug>.
Swatch is the most commonly used light-weight method of performing an active response when Snort raises an event, this included sending email. When I teach Snort classes I find that students quickly get to grip with how to use swatch, but still need a hand getting a formatted email out of the system.
To make this a more simple task, i threw together this simple script to provide nice email alerts with impact and advice on how to react to the event.
Let me know if you find it useful.