Snort mailing list archives

Re: Can someone help me with a script to send my snort alerts to my email

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 13 Feb 2003 15:15:55 -0500

I use this kind of kludgy script (some paths changed for security reasons)as part of my daily cron to rotate my snort logs and email me the alerts asan email message.

Note: to be less race-condition prone, it would be better if the mailcommand was postponed until after snort is restarted and emailed me alert.1instead. As it stands now, any alerts that occur after the email is sent,but before snort is killed/restarted will not appear in the emails (theywill be in the files).

There's also a race-condition window between taring the tcpdump files andrm'ing them. I suspect I can tell tar to unlink the files as it tars them,which would be much better as well.

It does depend on having /etc/start_snort.sh which is just a shell-scriptthat invokes snort as a Daemon with all the parameters I want. Since Ichroot and setuid my snort, I have to kill it to restart it to avoid theinfinitely-deep-chroot issue. You might not have to go to such extremes.




################################
#!/bin/sh
SNORTLOGS=/var/log/snort

mail -s"Snort: Alerts" snortreport () evi-inc com < ${SNORTLOGS}/alert
#rotate alerts
mv ${SNORTLOGS}/alert.3.gz ${SNORTLOGS}/alert.4.gz
mv ${SNORTLOGS}/alert.2.gz ${SNORTLOGS}/alert.3.gz
mv ${SNORTLOGS}/alert.1 ${SNORTLOGS}/alert.2
mv ${SNORTLOGS}/alert ${SNORTLOGS}/alert.1

#rotate tarballs of tcpdump captures
 ${SNORTLOGS}/pkts.3.tar.gz ${SNORTLOGS}/pkts.4.tar.gz
mv ${SNORTLOGS}/pkts.2.tar.gz ${SNORTLOGS}/pkts.3.tar.gz
mv ${SNORTLOGS}/pkts.1.tar.gz ${SNORTLOGS}/pkts.2.tar.gz
mv ${SNORTLOGS}/pkts.tar.gz ${SNORTLOGS}/pkts.1.tar.gz

cd ${SNORTLOGS}

#make a new packets tarball
tar -cf pkts.tar tcpdump.log.*

#clear out the packets directories
rm -rf tcpdump.log.*



#first send existing snort  SIGUSR1 signal to make it dump stats.
#then kill existing snort (if any)
PIDFILE=/var/run/snort_eth0.pid

if [ -f $PIDFILE ]; then
  PID_SNORT=`head -1 $PIDFILE`
  kill -USR1 $PID_SNORT
  kill $PID_SNORT
fi

#start a new snort
sh /etc/start_snort.sh

#compress the rotated logs (saved till end because this is processingintensive)

gzip -9 alert.2
gzip -9 portscan.log.2
gzip -9 log.2
gzip pkts.tar

At 11:12 AM 2/13/2003 -0800, Aaron Babalola wrote:

I'm using snort IDS for my thesis and i need a script to send my alerts tomy email, it will help in so many ways.
Thanks




-------------------------------------------------------
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Can someone help me with a script to send my snort alerts to my email Aaron Babalola (Feb 13)
- Re: Can someone help me with a script to send my snort alerts to my email Matt Kettler (Feb 13)