Snort mailing list archives
RE: How can I setup Snort to e-mail alerts?
From: "Mark W. Davis" <mwd () netvisage net>
Date: Fri, 22 Jun 2001 12:13:35 -0700
I use logcheck to parse syslog files and e-mail the results. I also hacked up a perl script that appends to the logcheck output the IP address, port, protocol, and number of attempts per IP address per port. Here is the relevant section of logcheck and the perl hack: ------------------------------------------------------------------- ... # run parser on the report if [ -f "$TMPDIR/checkreport.$$" ]; then /usr/local/hacks/myparse $TMPDIR/checkreport.$$ > /tmp/myparse.$$ if [ -s /tmp/myparse.$$ ];then cat /tmp/myparse.$$ >> $TMPDIR/checkreport.$$ fi rm -f /tmp/myparse.$$ fi # If there are results, mail them to sysadmin ... ------------------------------------------------------------------- #!/usr/bin/perl # myparse - append to logcheck output the name lookup, tries, and protocols # of firewall violators. # # logcheck output has been modified to NOT LOG firewall DENYs in its # Security Violations section. The DENYs are still logged in the # Unusual Events section. This script parses the Unusual Events section # of logchecks output (see the UNK hack). # # mwd - mwd () speakeasy org # # use Socket; @uniq = (); %seen = (); %services = (); %hostnames = (); sub getpname; sub gethname; %protocols = ( 0 => "IP", 1 => "ICMP", 2 => "IGMP", 3 => "GGP", 6 => "TCP", 12 => "PUP", 17 => "UDP" ); print "\n\n"; # added mysql check to restart snort if it cannot log # to the database. I think that the problem is wait_timeouts from the # db server. # $mydead = 0; # Hack to just parse the Unusual events section $UNK = 0; while (<>) { # search for string 'MySQL server has gone away' if ($mydead == 0) { $mydead = 1 if (/server has gone away/); } # need to add other UNKS for web log, etc... $UNK = 1 if (/Unusual/); if ($UNK == 1) { # might want to add REJECT also if(/DENY/ || /ACCEPT/) { if(/.*?PROTO=(\d+).*?(\d+\.\d+\.\d+\.\d+:\d{1,5})\s+(\d+\.\d+\.\d+\.\d+:\d{1,5}).*/) { my $temp = "$1|$2|$3"; push(@uniq, $temp) unless $seen{$temp}++; } } } } # Restart snort daemon if database times out if($mydead == 1) { system("/etc/rc.d/init.d/snortd restart >/dev/null"); } if(keys(%seen)) { # open services file and snarf items open(WAK, "< /etc/services") or die "Can't open /etc/services for reading: $!\n"; while(<WAK>) { if(!/^#|^\s/) { ($servname, $tmp_port, $description) = split; ($port, $protname) = split(/\//, $tmp_port); $services{$port} = $servname; } } foreach $key (keys %seen) { $value = $seen{$key}; ($prt, $src, $dest) = split(/\|/, $key); ($saddr, $sport) = split(/:/, $src); ($daddr, $dport) = split(/:/, $dest); $shostname = gethname $saddr; $dhostname = gethname $daddr; $sportname = getpname $sport; $dportname = getpname $dport; $tol = $protocols{$prt}; write; } print "\n\n\nAddress to Host Translations\n----------------------------\n"; print "\n"; foreach $key (keys %hostnames) { $value = $hostnames{$key}; print "$key\t\t$value\n"; } } exit; sub gethname { my $host = $_[0]; if(exists $hostnames{$host}) { $name = $hostnames{$host}; } else { $name = gethostbyaddr(inet_aton($host), AF_INET) or $name = $host; $hostnames{$host} = $name unless $name eq $host; } return $name; } sub getpname { my $pnum = $_[0]; if(exists $services{$pnum}) { $name = $services{$pnum}; } else { $name = "UNPRIV"; } return $name; } format STDOUT_TOP = Translation Source address Port Destination address Port Tries Protocol ----------------------------------------------------------------------------------------------------- . format = @<<<<<<<<<<<<<<<<<<<<<< @<<<<<<<<<<<<<<< @<<<<<<<<<< @<<<<<<<<<<<<<<<<<<< @<<<<<<<<<< @|||| @|||| $shostname, $saddr, $sportname, $dhostname, $dportname, $value, $tol . -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Yom, Francis Sent: Thursday, June 21, 2001 7:22 PM To: snort-users () lists sourceforge net Subject: [Snort-users] How can I setup Snort to e-mail alerts? Greetings, I would like to know how, if it is possible, to set up snort to e-mail alerts to an administrator. Thanks in advance, Francis _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How can I setup Snort to e-mail alerts? Yom, Francis (Jun 21)
- Re: How can I setup Snort to e-mail alerts? Ralf Hildebrandt (Jun 22)
- RE: How can I setup Snort to e-mail alerts? Mark W. Davis (Jun 22)
- <Possible follow-ups>
- Fwd: Re: How can I setup Snort to e-mail alerts? Tremaine Lea (Jun 22)
- RE: How can I setup Snort to e-mail alerts? Sheahan, Paul (PCLN-NW) (Jun 22)