Re: R: invio di un alert di snort da swatch

Ciao

> Ciao
> Mi rifaccio alla tua mail in quanto anch'io avrei esigenza di ricevere via
> email i log di snort e non so come fare
> se hai idee gentilmente potresti comunicarmele.

Questo e' un esempio che ho trovato in giro nn ho ancora avuto tempo di lavorarci, lo solamente inserito pari pari nel file .swatchrc e provato a lanciarlo e mi andava in errore, appena ci faccio qualcosa di buono lo posto in lista.

#
perlcode my $timestamp_regex="^[A-Z][a-z]{2}\s+\d{1,2}\s+\d{1,2}:\d{1,2}:\d{1,2}\s+";
 
#Notify security when snort sees any evidence of NETBIOS alerts.
#Our network configuration means this can only happen when Nimda and friends
#are loose...
 
watchfor / snort: .*NETBIOS/
        echo
        throttle 00:10:00,use="${timestamp_regex} snort: .*NETBIOS"
        pipe /usr/local/bin/newswatchlogger throttle Pacific/Auckland sec@xxxxxxxxxxxxx IDS Event Potential NetBIOS Trojan activity - investigate
 
 
 
#Notify security when snort sees any alert initiated by an internal address
#Obviously this implies an internal host is doing something naughty - which
#is typically a bad sign...
#Here the internal address space is 172.16.0.0 and 192.168.1.0
 
watchfor / snort: .* (172\.16|192\.168\.1)\.[0-9\.]+:[0-9]+ \-\> /
        echo
        throttle 00:10:00,use="${timestamp_regex} snort: .* (172\.16|192\.168\.1)\.[0-9\.]+:[0-9]+ \-\> "
        pipe /usr/local/bin/newswatchlogger throttle Pacific/Auckland sec@xxxxxxxxxxxxx IDS Event unusual activity from or against Corporate host - investigate



byezz

Matteo

________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List