Snort alert script

[johnsmi...@gmail.com]

Hi,

I have a Snort instance generating alerts. I can see these alerts in SGUIL, squert, and ELSA, as expected.

I want to create a script such that when I see a high priority alert (like a 1), the script will make a certain API/POST request to a server.

The script would mainly need to know the priority (or classtype if priority isn't available) and source IP for the alert. This is not an email alert.

How can I accomplish this? Are the alerts with such information logged somewhere? Do I need to make a configuration change? Are they easy to parse/what would be the best way to parse them?

I see some logs in /var/log/security-onion-eth1/ but I'm not sure if that's the only location or the best way to go about finding the alerts. The script ideally should be running in real time, meaning as soon as an alert is detected, a request is sent out.

Any help will be appreciated. Thank you.

[Kevin Branch]

Well, you could have your script tail /var/log/nsm/securityonion/sguild.log for lines containing "Alert Received:".  Those lines include the basic metadata associated with Snort events as they occur.  You could even configure OSSEC to monitor /var/log/nsm/securityonion/sguild.log for specific Snort alerts and to call a custom active response script to take action about them.  Or you could interact with the securityonion_db mysql database.  Start with the event table.

Perceiving which Snort events are truly of a high priority is not a simple task though.  I have never found the Snort rule class types and associated priority numbers to be of much help when trying to automate the generation of administrative alerts about "important" Snort events.  There are many factors to consider in auto-classification of events, some of which can be very site specific.  I ended up building a rule set that a script uses to evaluate Snort events to determine what if any administrative action should be taken (like cell phone page, admin email, or auto-quarantine of the local host).  It's another layer of rules, but it had enabled me to stay aware of high value Snort events in near real time.

Regards,

Kevin

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Scorellis]

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.

I think you might want Source and Destination... every time an alert gets created it inserts a new row into the securityOnion_db. You could easily get the information you are looking for from there (event table).