Generating Real-Time Alerts

Table of contents:

Problem

You want to get real-time Snort alerts.

Solution

Use Pig Sentry to monitor Snort output and generate alerts:

[root@localhost root]# tail -f /var/log/snort/alert | perl 

pigsentry-1.2

[Sun Nov 7 14:40:38 2004] alert: New event: ICMP PING NMAP

 

Discussion

Pig Sentry is a lightweight Perl script that executes against the Snort alert log. It was written to handle a large volume of alert data in real time. Pig Sentry maintains a state table of recent alerts so it can alert on new events or alert of changes in trends or patterns of events.

Download the latest version of Pig Sentry from http://web.solv.com/tools/pigsentry/ or http://www.snort.org/dl/contrib/data_analysis/pigsentry/. The following example shows how to run Pig Sentry, assuming you're already running Snort in NIDS mode and logging alerts to /var/log/snort:

[root@localhost root]# tail -f /var/log/snort/alert | perl 

pigsentry-1.2

[Sun Nov 7 14:40:38 2004] alert: New event: ICMP PING NMAP

Performing an Nmap scan generated the alert shown in this example.

See Also

http://web.solv.com/tools/pigsentry/

Recipe 1.18

Ignoring Some Alerts

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net