![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: Can someone help me with a script to send my snort alerts to my email
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 13 Feb 2003 15:15:55 -0500
I use this kind of kludgy script (some paths changed for security reasons) as part of my daily cron to rotate my snort logs and email me the alerts as an email message.
Note: to be less race-condition prone, it would be better if the mail command was postponed until after snort is restarted and emailed me alert.1 instead. As it stands now, any alerts that occur after the email is sent, but before snort is killed/restarted will not appear in the emails (they will be in the files).
There's also a race-condition window between taring the tcpdump files and rm'ing them. I suspect I can tell tar to unlink the files as it tars them, which would be much better as well.
It does depend on having /etc/start_snort.sh which is just a shell-script that invokes snort as a Daemon with all the parameters I want. Since I chroot and setuid my snort, I have to kill it to restart it to avoid the infinitely-deep-chroot issue. You might not have to go to such extremes.
################################ #!/bin/sh SNORTLOGS=/var/log/snort mail -s"Snort: Alerts" snortreport () evi-inc com < ${SNORTLOGS}/alert #rotate alerts mv ${SNORTLOGS}/alert.3.gz ${SNORTLOGS}/alert.4.gz mv ${SNORTLOGS}/alert.2.gz ${SNORTLOGS}/alert.3.gz mv ${SNORTLOGS}/alert.1 ${SNORTLOGS}/alert.2 mv ${SNORTLOGS}/alert ${SNORTLOGS}/alert.1 #rotate tarballs of tcpdump captures ${SNORTLOGS}/pkts.3.tar.gz ${SNORTLOGS}/pkts.4.tar.gz mv ${SNORTLOGS}/pkts.2.tar.gz ${SNORTLOGS}/pkts.3.tar.gz mv ${SNORTLOGS}/pkts.1.tar.gz ${SNORTLOGS}/pkts.2.tar.gz mv ${SNORTLOGS}/pkts.tar.gz ${SNORTLOGS}/pkts.1.tar.gz cd ${SNORTLOGS} #make a new packets tarball tar -cf pkts.tar tcpdump.log.* #clear out the packets directories rm -rf tcpdump.log.* #first send existing snort SIGUSR1 signal to make it dump stats. #then kill existing snort (if any) PIDFILE=/var/run/snort_eth0.pid if [ -f $PIDFILE ]; then PID_SNORT=`head -1 $PIDFILE` kill -USR1 $PID_SNORT kill $PID_SNORT fi #start a new snort sh /etc/start_snort.sh#compress the rotated logs (saved till end because this is processing intensive)
gzip -9 alert.2 gzip -9 portscan.log.2 gzip -9 log.2 gzip pkts.tar At 11:12 AM 2/13/2003 -0800, Aaron Babalola wrote:
I'm using snort IDS for my thesis and i need a script to send my alerts to my email, it will help in so many ways.Thanks
------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Can someone help me with a script to send my snort alerts to my email Aaron Babalola (Feb 13)
- Re: Can someone help me with a script to send my snort alerts to my email Matt Kettler (Feb 13)