[Oisf-users] alerting on alerts

erik clark philosnef at gmail.com
Wed Mar 28 11:52:43 UTC 2018

Jeff, we have about 5Mb/s burst (yes, our sustained is far lower than
5Mb/s). We have a really narrow target list in the network, since it sits
behind an openvpn tunnel, so the alerts we would see would not be very
many, and we would want to send an email for them so someone knows to go
look at Kibana I suppose. I found elastalert (
https://github.com/Yelp/elastalert) which seems like it might do?

On Tue, Mar 27, 2018 at 5:12 PM, Jeff Dyke <jeff.dyke at gmail.com> wrote:

> What does your stack look like, if amazon, i have alerts coming out of
> CloudWatch based on metric filters.  Given my blocking rules, these don't
> trigger often except to tell me a block has occured, but if you're using
> AWS, CloudWatch is better than setting up an ELK stack, which you can also
> do in AWS.  What Travis pasted is basically my rules for CloudWatch.
> On Tue, Mar 27, 2018 at 2:04 PM, Travis Green <travis at travisgreen.net>
> wrote:
>> Erik, have you considered something like an hourly cron job to diff
>> fast.log since last run, then email any new lines? Might not be the most
>> robust solution but will probably get you by while you figure something
>> better out.
>> Here's an example: https://pastebin.com/YaQv0mzJ
>> Hope that helps,
>> -Travis
>> On Tue, Mar 27, 2018 at 6:53 AM, erik clark <philosnef at gmail.com> wrote:
>>> I am trying to find an effective way to alert on critical signatures
>>> when they find it, preferably by email. What tools can be used to do this?
>>> We don't have a security team for this, so it has to be pretty straight
>>> forward. If needed, I can set up an ELK stack to handle this, assuming
>>> emails can be sent like Splunk. The easiest way to do and manage this, the
>>> better. :) Thank you for your input!
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/suppor
>>> t/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/ois
>>> f-users
>>> Conference: https://suricon.net
>>> Trainings: https://suricata-ids.org/training/
>> --
>> PGP: ABE625E6
>> keybase.io/travisbgreen
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180328/5999c25b/attachment.html>

More information about the Oisf-users mailing list