-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --On August 29, 2007 14:54:38 -0700 Eric Cables <[EMAIL PROTECTED]> wrote:
| Other than writing a separate script that runs nfdump & pipes the output
| into an e-mail, is it possible to provide details on who, or what, triggered
| an alert?
|
| For example, if an alert matches based on a certain port number, why not
| send the pertinent information in the alert e-mail sent by NfSen?
|
| Here's what I get when an alert that matches tcp/6660-6667 is hit:
|
| "Alert 'IRC' triggered at timeslot 200708291445"
|
| It would be useful to show the flow that triggered that alert in the e-mail.
This is not always possible, and depends on the condition, you have set. In
your
example, this would be easy, but there are possible condition, where it's not:
Assume a condition which triggers, when the number of flows is 10% more than
the
hourly average. There are not specific flows causing the alert.
Anyway I put it on the todo list to see, what's further possible.
- Peter
|
| --
| Eric Cables
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iQCVAwUBRveb7/5AbZRALNr/AQLLBAP+NpkIy4d8PFJlthOI0K/jScZL4nnj0rIT
ei5kLyIc48q5OTdKkFtB8VHxtHSX8w7yYi5azpomsPmzxW1zuHLQtjPrOR6qR7tN
+3hUnrJu+VhMCUfgDmPsHxpf+DO6OBaoKvc8cwyRnXVPqlL7gVyHzrgOIrgnG6wn
BlSRppsMatc=
=aze0
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
