emails on the "High Severity" (red) alerts
226 views
Skip to first unread message
Joseph Spenner
May 21, 2014, 5:45:18 PM5/21/14
to Security Onion
Hello, I'm curious if it's possible to configure Snorby such that it only emails on the "High Severity" (red) alerts as displayed in the GUI?
I checked out the /etc/nsm/securityonion/sguild.email file, and saw the option for EMAIL_CLASSES. I am guessing I could find all of those which are "High Severity". Is that the only way?
Doug Burks
May 26, 2014, 6:01:42 AM5/26/14
to securit...@googlegroups.com
Hi Joseph,
To clarify, /etc/nsm/securityonion/sguild.email is for Sguil, not
Snorby. However, you can certainly use it to generate emails. Just
remember that any changes to the file require a restart of the Sguil
daemon:
sudo nsm_server_ps-restart
> --
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
To clarify, /etc/nsm/securityonion/sguild.email is for Sguil, not
Snorby. However, you can certainly use it to generate emails. Just
remember that any changes to the file require a restart of the Sguil
daemon:
sudo nsm_server_ps-restart
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Joseph Spenner
May 26, 2014, 6:26:30 AM5/26/14
to securit...@googlegroups.com
From: Doug Burks <doug....@gmail.com>
To: "securit...@googlegroups.com" <securit...@googlegroups.com>
Sent: Monday, May 26, 2014 3:01 AM
Subject: Re: [security-onion] emails on the "High Severity" (red) alerts
Hi Joseph,
To clarify, /etc/nsm/securityonion/sguild.email is for Sguil, not
Snorby. However, you can certainly use it to generate emails. Just
remember that any changes to the file require a restart of the Sguil
daemon:
sudo nsm_server_ps-restart
On Wed, May 21, 2014 at 5:45 PM, 'Joseph Spenner' via security-onion
<securit...@googlegroups.com> wrote:
>
> Hello, I'm curious if it's possible to configure Snorby such that it only
> emails on the "High Severity" (red) alerts as displayed in the GUI?
> I checked out the /etc/nsm/securityonion/sguild.email file, and saw the
> option for EMAIL_CLASSES. I am guessing I could find all of those which are
> "High Severity". Is that the only way?
Doug:
Thanks for the reply!
How would I modify the config to only email on the High Severity? Is this possible, without configuring for each possible alert?
Thanks for the reply!
How would I modify the config to only email on the High Severity? Is this possible, without configuring for each possible alert?
Doug Burks
May 27, 2014, 5:48:43 AM5/27/14
to securit...@googlegroups.com
From sguild.email:
# EMAIL_PRIORITIES: Space delimited list of priorities from the snort
classification.conf
# that you want to be emailed (paged) when an event matching that
priority is received.
# Use the integers 1-5
# 0=none
#set EMAIL_PRIORITIES 1 2
On Mon, May 26, 2014 at 6:17 AM, 'Joseph Spenner' via security-onion
# EMAIL_PRIORITIES: Space delimited list of priorities from the snort
classification.conf
# that you want to be emailed (paged) when an event matching that
priority is received.
# Use the integers 1-5
# 0=none
#set EMAIL_PRIORITIES 1 2
On Mon, May 26, 2014 at 6:17 AM, 'Joseph Spenner' via security-onion
<securit...@googlegroups.com> wrote:
>
> ________________________________
> From: Doug Burks <doug....@gmail.com>
> To: "securit...@googlegroups.com" <securit...@googlegroups.com>
> Sent: Monday, May 26, 2014 3:01 AM
> Subject: Re: [security-onion] emails on the "High Severity" (red) alerts
>
> Hi Joseph,
>
> To clarify, /etc/nsm/securityonion/sguild.email is for Sguil, not
> Snorby. However, you can certainly use it to generate emails. Just
> remember that any changes to the file require a restart of the Sguil
> daemon:
>
> sudo nsm_server_ps-restart
>
>
>
> On Wed, May 21, 2014 at 5:45 PM, 'Joseph Spenner' via security-onion
> <securit...@googlegroups.com> wrote:
>>
>> Hello, I'm curious if it's possible to configure Snorby such that it only
>> emails on the "High Severity" (red) alerts as displayed in the GUI?
>> I checked out the /etc/nsm/securityonion/sguild.email file, and saw the
>> option for EMAIL_CLASSES. I am guessing I could find all of those which
>> are
>> "High Severity". Is that the only way?
>
>
> Doug:
> Thanks for the reply!
> How would I modify the config to only email on the High Severity? Is this
> possible, without configuring for each possible alert?
>
>
> ________________________________
> From: Doug Burks <doug....@gmail.com>
> To: "securit...@googlegroups.com" <securit...@googlegroups.com>
> Sent: Monday, May 26, 2014 3:01 AM
> Subject: Re: [security-onion] emails on the "High Severity" (red) alerts
>
> Hi Joseph,
>
> To clarify, /etc/nsm/securityonion/sguild.email is for Sguil, not
> Snorby. However, you can certainly use it to generate emails. Just
> remember that any changes to the file require a restart of the Sguil
> daemon:
>
> sudo nsm_server_ps-restart
>
>
>
> On Wed, May 21, 2014 at 5:45 PM, 'Joseph Spenner' via security-onion
> <securit...@googlegroups.com> wrote:
>>
>> Hello, I'm curious if it's possible to configure Snorby such that it only
>> emails on the "High Severity" (red) alerts as displayed in the GUI?
>> I checked out the /etc/nsm/securityonion/sguild.email file, and saw the
>> option for EMAIL_CLASSES. I am guessing I could find all of those which
>> are
>> "High Severity". Is that the only way?
>
>
> Doug:
> Thanks for the reply!
> How would I modify the config to only email on the High Severity? Is this
> possible, without configuring for each possible alert?
>
Joseph Spenner
May 27, 2014, 11:25:11 AM5/27/14
to securit...@googlegroups.com
>From sguild.email:
>
># EMAIL_PRIORITIES: Space delimited list of priorities from the snort classification.conf
> # that you want to be emailed (paged) when an event matching that priority is received.
> # Use the integers 1-5
> # 0=none
> #set EMAIL_PRIORITIES 1 2
>
># EMAIL_PRIORITIES: Space delimited list of priorities from the snort classification.conf
> # that you want to be emailed (paged) when an event matching that priority is received.
> # Use the integers 1-5
> # 0=none
> #set EMAIL_PRIORITIES 1 2
So how do the 3 possible severities in Snorby map to
the 5 possible priorities in the config file?
Doug Burks
May 27, 2014, 11:26:44 AM5/27/14
to securit...@googlegroups.com
If you want High Severity (Priority), I believe you should set
EMAIL_PRIORITIES to 1. Try it and see!
EMAIL_PRIORITIES to 1. Try it and see!
Reply all
Reply to author
Forward
0 new messages