<html><body><div id="zimbraEditorContainer" style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000" class="3"><div>This _might_ help.   Sagan,  which is a log analysis engine,  has the option to "email" based on logs triggered.     If you already know how to configure Suricata,  then Sagan isn't likely to scare you. :)</div><div><br data-mce-bogus="1"></div><div><br></div><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__"><b>From: </b>"Jeff Dyke" <jeff.dyke@gmail.com><br><b>To: </b>"erik clark" <philosnef@gmail.com><br><b>Cc: </b>"oisf-users" <oisf-users@lists.openinfosecfoundation.org><br><b>Sent: </b>Wednesday, March 28, 2018 8:30:28 AM<br><b>Subject: </b>Re: [Oisf-users] alerting on alerts<br></div><br><div data-marker="__QUOTED_TEXT__"><div dir="ltr">again, not applicable if you're not using AWS, but we have a Lambda that runs based on CW alert which grabs the last N log lines and sends them an email to our team, in pretty printed json format, so its pretty much instant.  That project does look helpful, kind of wish it supported CW.  </div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 28, 2018 at 7:52 AM, erik clark <span dir="ltr"><<a href="mailto:philosnef@gmail.com" target="_blank">philosnef@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Jeff, we have about 5Mb/s burst (yes, our sustained is far lower than 5Mb/s). We have a really narrow target list in the network, since it sits behind an openvpn tunnel, so the alerts we would see would not be very many, and we would want to send an email for them so someone knows to go look at Kibana I suppose. I found elastalert (<a href="https://github.com/Yelp/elastalert" target="_blank">https://github.com/Yelp/elastalert</a>) which seems like it might do?<br></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 27, 2018 at 5:12 PM, Jeff Dyke <span dir="ltr"><<a href="mailto:jeff.dyke@gmail.com" target="_blank">jeff.dyke@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">What does your stack look like, if amazon, i have alerts coming out of CloudWatch based on metric filters.  Given my blocking rules, these don't trigger often except to tell me a block has occured, but if you're using AWS, CloudWatch is better than setting up an ELK stack, which you can also do in AWS.  What Travis pasted is basically my rules for CloudWatch. </div><div class="m_-2590857547160456432HOEnZb"><div class="m_-2590857547160456432h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 27, 2018 at 2:04 PM, Travis Green <span dir="ltr"><<a href="mailto:travis@travisgreen.net" target="_blank">travis@travisgreen.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Erik, have you considered something like an hourly cron job to diff fast.log since last run, then email any new lines? Might not be the most robust solution but will probably get you by while you figure something better out. <br><div>Here's an example: <a href="https://pastebin.com/YaQv0mzJ" target="_blank">https://pastebin.com/YaQv0mzJ</a></div><br><div>Hope that helps,</div><div><div>-Travis</div></div></div><div class="gmail_extra"><br><div class="gmail_quote"><span>On Tue, Mar 27, 2018 at 6:53 AM, erik clark <span dir="ltr"><<a href="mailto:philosnef@gmail.com" target="_blank">philosnef@gmail.com</a>></span> wrote:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span><div dir="ltr">I am trying to find an effective way to alert on critical signatures when they find it, preferably by email. What tools can be used to do this? We don't have a security team for this, so it has to be pretty straight forward. If needed, I can set up an ELK stack to handle this, assuming emails can be sent like Splunk. The easiest way to do and manage this, the better. :) Thank you for your input!</div>
<br></span>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a><span class="m_-2590857547160456432m_-3165231672198286677HOEnZb"><span color="#888888" data-mce-style="color: #888888;" style="color: #888888;"><br></span></span></blockquote></div><span class="m_-2590857547160456432m_-3165231672198286677HOEnZb"><span color="#888888" data-mce-style="color: #888888;" style="color: #888888;"><br><br clear="all"><br>-- <br><div class="m_-2590857547160456432m_-3165231672198286677m_-7834124730212774349gmail_signature">PGP: ABE625E6<br><a href="http://keybase.io/travisbgreen" target="_blank">keybase.io/travisbgreen</a></div>
</span></span></div>
<br>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a><br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
<br>_______________________________________________<br>Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org<br>Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/<br>List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br><br>Conference: https://suricon.net<br>Trainings: https://suricata-ids.org/training/<br></div></div></body></html>