Re: snort and auto-alert?
Patrick Hsieh, 2002-Jul-14 10:03 +0800:
> Hello list,
> I've installed snort on woody and it runs normally.
> Is there anyway to make snort to work with some alert system so that
> when a portscan or other attack behaviro occures, it calls the alert
> system to page the system admin. or send email to system admin?
> I need real time alert. It seems there's only cron analysis solution?
I run logcheck to monitor all my log files, including snorts. It
sends me emails with reports on "suspect" activity. I use the default
config which runs every hour, but I'm sure you can set up logcheck in
more of a realtime mode, I just haven't tried yet.
> Another question. Can snort define a certain unnormal http access
> behavior pattern, say, one single IP access on single URL multiple times
> in EVERY second? If not, is there any opensource software can achieve
I don't know about this one. Sounds interesting though.
Jeff Coppock Systems Engineer
Diggin' Debian Admin and User
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org