Snort mailing list archives
RE: E-mail alerting
From: "M Shirk" <shirkdog_linux () hotmail com>
Date: Mon, 13 Sep 2004 13:00:06 -0400
Swatch creates files for the user who is running swatch. So if you start swatch as root, it checks /root/.swatchrc for your configuration and creates the .script files.
Someone else could verify this but I think it compiles the perl script with your configuration options in the .swatchrc file.
The Global symbol error is a perl error, check your .swatchrc file and look for @page55, and check the actual Swatch script for this string. It may be a here document or some formatting that is messed up and being interpreted as code.
Shirkdog http://www.shirkdog.us
From: "Andy" <andy () page55 com> To: "prabu" <prabu333 () hotpop com>,<snort-users () lists sourceforge net> Subject: RE: [Snort-users] E-mail alerting Date: Sun, 12 Sep 2004 19:04:34 -0500 Hi Prabu, Excellent post, it prompted me to check out swatch. I had to install the CPAN mods and the only thing different was that I had to install Time-HiRes-1.63 instead of Time-HiRes-1.59 They all installed ok.I'm trying to get swatch to read the config file. I followed the directions,but I'm getting an error: [root@tunes etc]# swatch --config-file=/etc/swatchrc.txt Global symbol "@page55" requires explicit package name at /root/.swatch_script.3238 line 125. Execution of /root/.swatch_script.3238 aborted due to compilation errors. I put the config file in /etc and copied it exactly from below, except of course I inserted my own email address. Do you know what this error means? What is the meaning of the line: /root/.swatch_script.3238 line 125. (specifically the /root/ part.) Thanks, Drew -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of prabu Sent: Saturday, September 04, 2004 12:30 AM To: snort-users () lists sourceforge net; Carlos M Ospina Subject: Re: [Snort-users] E-mail alerting Hello Carlos, You can use Swatch to get emails alerts from Snort. Installing Swatch,is just a child's play,very easier.I have given below the necessary steps to configure Swatch. Hope,this will be useful.If you have,any queries,you can write to me............................. Prabu.S ############################################################################ ############################################ CONFIGURATION STEPS TO SEND SNORT ALERTS AS E-MAIL: To receives Snort alerts as E-mail, one can follow the following steps: Swatch is the widely used open source tool to enable E mail alerts in Snort. Swatch is a utility that monitors system log files, filters outunwanted data and takes specified actions (i.e., sending email, executinga script, etc.) based upon what it finds in the log files. So I have used Swatch to configure snort to send the alerts as E-mail. NOTE: Here, it is considered that snort have been already installed on the host, in which this is to be tested. [a] Swatch installation: Download the swatch package, from http://sourceforge.net/project/showfiles.php?group_id=68627 To install, simply issue the following commands: perl Makefile.PL make make test make install make realcleanSwatch installs just like a CPAN module. If you are not familiar with thisprocess then you may want to read about it by issuing the command: man ExtUtils::MakeMaker Use the perldoc command if your man cannot find the document. If you see messages like these: Warning: prerequisite Date::Calc 0 not found at (eval 1) line 219. Warning: prerequisite Date::Parse 0 not found at (eval 1) line 219. Warning: prerequisite File::Tail 0 not found at (eval 1) line 219. Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) line 219. Then you need to install the CPAN module(s) that it doesn't find, before you can use swatch. You can find these modules at http://search.cpan.org/. One must download following perl modules from the site search.cpan.org 1.Bit-Vector-6.3 2.Date-Calc-5.3 3.DateManip-5.42a 4.File-Tail-0.98 5.Time-HiRes-1.59 6.TimeDate-1.16 To install these perl modules,one can follow the same steps as said per Swatch, They are, perl Makefile.PL make make test make install make realclean The Swatch binary will be installed at the /opt/perl/bin/ directory Then create the swatch configuratiobn file. cat /etc/swatchrc.txt ========================================================== # Swatch configuration file # # # swatch -c /etc/swatchrc -t /var/log/snort/alert # ### Snort Alerts## Watch for entries containing the word 'Priority' in the snortalert file. ## Display it in green on the screen ## Mail alert to alerts () yourdomain com with subject of the email ## being "----Snort IDS Alert----" ## Log in file /var/log/IDS-scans watchfor /Priority/ echo green_h mail addresses=youruseraccount () yourdomain comt ,subject=--- Snort IDS Alert --- exec echo $0 >> /var/log/IDS-scans ============================================================ THE FINAL STEPS: [a] Start Snort in NIDS mode: #./snort -c /snort/iexpress/snort/etc/snort.conf -l /var/log/snort. [b] Start swatch: cd /opt/perl/bin #./swatch --config-file=/etc/swatchrc.txt [c] Using Outlook Express: configure the User's POP3 account and you can recieve the emails send by Swatch for each alerts based on the patter matching the "watchfor" ############################################################################ ############################## Cheers, Prabu.S ----- Original Message ----- From: Carlos M Ospina To: snort-users () lists sourceforge net Sent: Friday, September 03, 2004 7:08 PM Subject: [Snort-users] E-mail alertingIs there anyway to configure, with acid, automatic alerts by e-mail? isther eany manual about that? Thanks in advance. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.751 / Virus Database: 502 - Release Date: 9/2/2004
_________________________________________________________________Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement onwho ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: E-mail alerting Esler, Joel - Contractor (Sep 03)
- <Possible follow-ups>
- RE: E-mail alerting Harper, Patrick (Sep 03)
- Re: E-mail alerting Lyndon Tiu (Sep 03)
- RE: E-mail alerting M Shirk (Sep 13)
- RE: E-mail alerting Jose Maria Lopez (Sep 14)
- E-mail alerting Andy (Sep 19)