[Emerging-Sigs] OT - reporting

Martin Holste mcholste at gmail.com
Wed Oct 13 23:18:40 EDT 2010


Some of my standard queries:

Today's unique alerts matching sig_name for Trojan and current_events
EXE/JAR downloads by country
Alerts for newly added rules
Alerts for previously infected hosts (both infecter and infectee)
Alerts for any IP's on the Zeus lists (though now we usually just go
straight to the URL logs for this)

But the big one is the auto incident creation we have for certain sigs
which will automatically pull pcap for the relevant hosts and attach
it to the ticket along with the original alert.

Anything that can arrange your data so that you can make sense of it
faster or see patterns you wouldn't have before is a good thing.

On Wed, Oct 13, 2010 at 7:15 PM, waldo kitty <wkitty42 at windstream.net> wrote:
> On 10/13/2010 16:21, Weir, Jason wrote:
>> Sorry for going off topic but here I go anyway
>>
>> What are you guys running for reporting&  alerting on your Snort boxes?
>
> nothing... should i be? :P
>
> but seriously... i look over the logs of snort (parsed alert file) and the
> active response tool i maintain (list of all actions taken)... other than that,
> the table of blocked systems and/or the tracker that keeps up with the
> automatically blocked systems' generated alerts...
>
>> I'm running barnyard, mysql and BASE but it leaves a little bit to be
>> desired and looking for something better..
>
> what do they offer that i should be interested in ??
>
> offlist responses are welcome ;)
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>


More information about the Emerging-sigs mailing list