Re: automatically generate and email a daily report?

[Martin Holste <mcholste () gmail com>]

If you're only processing the alerts, then Splunk personal edition
will almost certainly remain under 500 MB per day, which is the limit
of the free version.  If you really only want a printout, then do
something like what James is doing with a shell script as you're not
going to beat that for simplicity.  However, if you use Splunk, then
doing the drill-down becomes much easier.

Since you're not up for even Snorby, it's probably not for you, but my
ELSA log project is for industrial-strength searching/reporting which
would do what you want, albeit with a bit more setup.  I will lastly
point you to Security Onion, which is an ISO that will have you up and
running with Snort and Sguil (a solid interface for viewing Snort
alert data as well as session and other data) in minutes with minimal
configuration.

On Mon, Dec 12, 2011 at 3:23 PM, Lay, James <james.lay () wincofoods com> wrote:
> > -----Original Message-----
> > From: MLP SCADA [mailto:MLPSCADA () ci anchorage ak us]
> > Sent: Monday, December 12, 2011 1:38 PM
> > To: 'snort-users () lists sourceforge net'
> > Subject: [Snort-users] automatically generate and email a daily
> report?
> > Hey folks.
> >
> > I've got snort/barnyard2 populating a mysql database.  I've got base
> running as a front end.
> > What I'd like to do is automatically email a once a day summary of of
> the last 24 hours unique alerts to the on-
> > calls, similar to the unique daily summary that base provides.
> <snip>
> > What other options do folks use for a daily summary email to the
> relevant folks?
> > Thanks!
>
> I use the fast file as the method of finding alerts types....then send
> that yesterdaysalerts.txt to yourself and away you go.  I have this run
> in a cron job at 11:59 and am greeted with a slick email at 8 am
> everyday with all the types of crud that happened the day before.
> Season to taste for file locals...hope that helps.
>
> James
>
> #!/bin/bash
> sudo grep `date +%m/%d` /var/log/all.fast |  awk ' { for (i=3; i<=NF;
> i++) printf("%s ", $i); printf("\n") } ' | grep -v SHELLCODE | sed
> s/Priority.*$// |  sed 's/\[$//' | sort -u > yesterdaysalerts.txt
>
>
>
> ------------------------------------------------------------------------------
> Learn Windows Azure Live!  Tuesday, Dec 13, 2011
> Microsoft is holding a special Learn Windows Azure training event for
> developers. It will provide a great way to learn Windows Azure and what it
> provides. You can attend the event by watching it streamed LIVE online.
> Learn more at http://p.sf.net/sfu/ms-windowsazure
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Systems Optimization Self Assessment
Improve efficiency and utilization of IT resources. Drive out cost and 
improve service delivery. Take 5 minutes to use this Systems Optimization 
Self Assessment. http://www.accelacomm.com/jaw/sdnl/114/51450054/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!