Snort mailing list archives
swatch/snort config
From: "Edwin Pua" <edwin1118 () hotmail com>
Date: Wed, 23 Jan 2002 10:44:30 +0000
Hi Sandro,i have installed the swatch rpm package and other perl dependent packages with no error. i've made some changes in the /etc/swatch/swatch.conf based on your guideline.
but i got an error mesg when i tried to run /usr/bin/swatch.
swatch: cannot read /root/.swatchrc
swatch: using default configuration of:
watchfor = /.*/
echo = random
btw, what is the purpose of swatch_old2newrc? is this the program that
runs the swatch.conf? sorry for this coz i am puzzled with the error mesg i
got.
thanx for ur help. rgds, Edwin
From: <sandro.poppi () wacker com> To: <edwin1118 () hotmail com> CC: <snort-users () lists sourceforge net> Subject: AW: AW: (Snort-users) AW: (Snort-users) Newbie Question.. Date: Tue, 22 Jan 2002 12:15:00 +0100 Edwin,as you can see in the original snort-check script it's intended to be run from within swatch. To send the actual /var/log/alert you'll have to use cat/tail or such (you surely don't want to send the whole file ech time) instead of echo"$*" | mail ...For exactly that reason I use swatch to send me alerts nearly in realtime (everyminute). snort-check won't send any alerts without being triggered anyhow, that's were swatch comes into sight (see Configuring swatch in my HOWTO).If you do see alerts but get no email (and you are using swatch or something else to trigger snort-check) take a look at your maillog or try root@localhostas a recipient. HTH, Sandro > > Hi Sandro, > > So far there's no error in the program after changing it > #!/bin/bash and > upon compiling it. > > But it doesnt send the actual alert file. I mean, i did a > simulation test > using nmap to alert my snort box. But the snort-check program > didn't send > any email, though i've seen in the snort box using "tail -f > /var/log/snort/alert" file that there's some port scanning going on. > > What will i edit or add in the snort-check program to > email the actual > alert files of snort in real time once attacks have been > detected by the > snort? > > thanx for ur help. > > > > > regards, > Edwin > > > > > >From: <sandro.poppi () wacker com> > >To: <edwin1118 () hotmail com> > >CC: <snort-users () lists sourceforge net> > >Subject: AW: (Snort-users) AW: (Snort-users) Newbie Question.. > >Date: Mon, 21 Jan 2002 07:20:00 +0100 > >I checked the modified program on RH 7.0 and 7.2 and it > worked without > >error. > >The only thing I did was adding a # before the line > >"if a recipient file exists" > > > >Could you please be more specific if the error still exists? > Please include > >the > >error message and line number. You may take a look on > /bin/sh: If it does > >not > >point to /bin/bash then this may be the error. Replace #!/bin/sh with > >#!/bin/bash. I will fix this in the next version to be more specific. > > > >Ciao, > >Sandro > > > > > > > _________________________________________________________________ > Send and receive Hotmail on your mobile device: http://mobile.msn.com > > >
_________________________________________________________________MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- swatch/snort config Edwin Pua (Jan 23)