RE: alert messages

From: Phil Hollows (
Date: 03/09/04

  • Next message: "Re: Entercept HIDS Question"
    To: <>
    Date: Tue, 9 Mar 2004 11:07:06 -0500

    [Disclosure: I work for a security management / log analysis vendor]

    Security event management and correlation products, such as Open's Security
    Threat Manager (see, also do what you are looking for.
    They monitor firewall, IDS, anti-virus and other sentry systems in
    real-time, and alert you based on parameters that you set. You should look
    for the ability to correlate across different vendors (e.g. Cisco PIX and
    Checkpoint FW-NG), device classes and vendors (e.g. relate IDS events from
    ISS with anti-virus data from Symantec). The most powerful systems will
    also correlate an IDS alert with whether or not the target system appears to
    be vulnerable to the attack, and relate all these events to the asset's
    value or importance to your organizations. My company's product also takes
    into account where the attack was launched from (e.g. inside the
    organization or outside).

    The benefit is that the number of alerts you see is significantly reduced,
    as the products take care of consolidating and aggregating alarms into the
    few that you require. What you get is real-time analysis and triage on
    inbound attacks which you can then action, in effect pulling the signal from
    the noise.

    Thank you,


    Phil Hollows
    VP Marketing
    OpenService, Inc.
    110 Turnpike Road, Suite 308
    Westborough, MA 01581

    -----Original Message-----
    From: SecurIT Informatique Inc. []
    Sent: Thursday, March 04, 2004 3:32 PM
    To: Rodrigo B. Ramos
    Subject: Re: alert messages


    I don't think there's any simple "math" to adequately answer your request,
    especially with so little specifics info about the kind of alerts your
    sensor deals with. Anyway, that's not the point.

    I have made a tool called LogAgent Pro 5.2 that was created partly in order
    to help solve this kind of problem. LogAgent is a log file monitoring and
    analyzing program, which will monitor in real-time any ASCII log file and
    the Event Viewer and apply rules you have defined related to the
    appropriate fields for each log. Data can be gathered together in simple
    reports, which you can send when a certain number of alerts is reached
    and/or when a specified amount of time is elapsed. So, if you're receiving
    65000 alerts from a noisy port scan, you can easily gather them into
    reports of 1000 events each, which would generate only 65 messages, while
    still catching less noisy scans by still sending a report when a time-limit
    is reached without waiting to have collected 1000 events. You can also use
    this to get notified on Priorities 1 alerts only, etc...

    One of the rules you can use with LogAgent allows you to call external
    programs (like a SMS messaging program or a pager system), and pass log
    data as parameters so you can customize your alert messages more than just
    "You have received 1000 alerts."

    It's true that you could achieve mostly the same results with some
    scripting, but if you're looking for an already built solution, here it is.

    You can get an eval copy of the software at

    Hope this helps.

    Adam Richard
    SécurIT Informatique Inc.

    At 01:52 PM 03/03/2004, Rodrigo B. Ramos wrote:

    >Can anyone help me in the following job?
    >The X Company has more than 1000 machines (desktop and servers) on their
    >WAN. They installed snort as an IDS, they are logging remotely and
    >sending alerts by email and by sms to mobiles.
    >What are the best steps to customize the alerts? The phone company
    >thought that the servers were doing some spam jobs. They send many, many
    >alerts and probably almost flood the phone phone company network.
    >What is the best way to tell the system to send alerts? Which math
    >should I use?
    >I know I can know have to disable some types of rules that just can't
    >affect the ambient, I know I can count packets by priorities, by type of
    >alerts, by packets, ... But what math can I use to send the alerts
    >without flooding mail boxes and mobiles?
    >Best Regards,
    >Rodrigo Buarque Ramos
    >GPG KEY ID: 0x71CFE098 -->
    >Key fingerprint = F381 366D D233 22B4 7E72 A21D DE9B 2FF3 71CF E098
    >55 81 88513524
    >55 81 3463.1593
    >Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    >wireless security
    >Protect your network against hackers, viruses, spam and other risks with
    >Security Linux, the comprehensive security solution that combines six
    >applications in one software solution for ease of use and lower total cost
    >Download your free trial at
    >Un mot doux à envoyer? Une sortie ciné à organiser? Faites le en temps
    >réel avec MSN Messenger! C'est gratuit!

    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of

    Download your free trial at

  • Next message: "Re: Entercept HIDS Question"