Re: alert messages
From: SecurIT Informatique Inc. (securit_at_iquebec.com)
Date: 03/04/04
- Previous message: Steve Paine: "RE: blocking p2p traffic"
- In reply to: Rodrigo B. Ramos: "alert messages"
- Next in thread: Phil Hollows: "RE: alert messages"
- Reply: Phil Hollows: "RE: alert messages"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 04 Mar 2004 15:31:46 -0500 To: "Rodrigo B. Ramos" <rodrigo.ramos@triforsec.com.br>
Hello.
I don't think there's any simple "math" to adequately answer your request,
especially with so little specifics info about the kind of alerts your
sensor deals with. Anyway, that's not the point.
I have made a tool called LogAgent Pro 5.2 that was created partly in order
to help solve this kind of problem. LogAgent is a log file monitoring and
analyzing program, which will monitor in real-time any ASCII log file and
the Event Viewer and apply rules you have defined related to the
appropriate fields for each log. Data can be gathered together in simple
reports, which you can send when a certain number of alerts is reached
and/or when a specified amount of time is elapsed. So, if you're receiving
65000 alerts from a noisy port scan, you can easily gather them into
reports of 1000 events each, which would generate only 65 messages, while
still catching less noisy scans by still sending a report when a time-limit
is reached without waiting to have collected 1000 events. You can also use
this to get notified on Priorities 1 alerts only, etc...
One of the rules you can use with LogAgent allows you to call external
programs (like a SMS messaging program or a pager system), and pass log
data as parameters so you can customize your alert messages more than just
"You have received 1000 alerts."
It's true that you could achieve mostly the same results with some
scripting, but if you're looking for an already built solution, here it is.
You can get an eval copy of the software at http://securit.iquebec.com/.
Hope this helps.
Adam Richard
SécurIT Informatique Inc.
At 01:52 PM 03/03/2004, Rodrigo B. Ramos wrote:
>Hi!
>
>Can anyone help me in the following job?
>
>The X Company has more than 1000 machines (desktop and servers) on their
>WAN. They installed snort as an IDS, they are logging remotely and
>sending alerts by email and by sms to mobiles.
>
>What are the best steps to customize the alerts? The phone company
>thought that the servers were doing some spam jobs. They send many, many
>alerts and probably almost flood the phone phone company network.
>
>What is the best way to tell the system to send alerts? Which math
>should I use?
>
>I know I can know have to disable some types of rules that just can't
>affect the ambient, I know I can count packets by priorities, by type of
>alerts, by packets, ... But what math can I use to send the alerts
>without flooding mail boxes and mobiles?
>
>
>Best Regards,
>--
>Rodrigo Buarque Ramos
>GPG KEY ID: 0x71CFE098 --> http://pgp.mit.edu
>Key fingerprint = F381 366D D233 22B4 7E72 A21D DE9B 2FF3 71CF E098
>55 81 88513524
>55 81 3463.1593
>http://www.triforsec.com.br
>http://www.defenselayer.com
>
>
>---------------------------------------------------------------------------
>Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
>wireless security
>
>Protect your network against hackers, viruses, spam and other risks with
>Astaro
>Security Linux, the comprehensive security solution that combines six
>applications in one software solution for ease of use and lower total cost of
>ownership.
>
>Download your free trial at
>http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
>---------------------------------------------------------------------------
>
>_____________________________________________________________________
>Un mot doux à envoyer? Une sortie ciné à organiser? Faites le en temps
>réel avec MSN Messenger! C'est gratuit! http://ifrance.com/_reloc/m
---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security
Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.
Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
---------------------------------------------------------------------------
- Previous message: Steve Paine: "RE: blocking p2p traffic"
- In reply to: Rodrigo B. Ramos: "alert messages"
- Next in thread: Phil Hollows: "RE: alert messages"
- Reply: Phil Hollows: "RE: alert messages"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
