IDS mailing list archives

Re: Snort & email

From: Bartosz Krajnik <bartek () bmk bz>
Date: Wed, 11 May 2005 09:24:19 +0200

On 04-05-2005 at 10:16:37AM -0500, Dan S Baxter wrote:


I'm setting up a Snort sensor in our environment and I am unable to
determine how I might get emailed on alerts.  I understand some are using
Swatch, but we are not logging to syslogs but rather to a mysql db.  What
are others doing in this case?

If I can't get it to alert me, it doesn't do me as much good, as I do not
have the time to watch it 24/7.


It's very easy to implement.
Log scans (portscan.log) to FIFO file (man mkfifo).
Create proces to listen on this FIFO and to send You e-mail notification
after incident (I use FIFO in authfail daemon: www.bmk.bz/authfail).

So You get e-mail notification in the real time.

Best regards,
        Bartek.
--
If You want to verify authentication of my e-mail visit: www.keyserver.net
   to get from there my public key.

Attachment: _bin
Description:

Current thread:

Snort & email Dan S Baxter (May 06)
- Re: Snort & email Frank Knobbe (May 09)
- Re: Snort & email Joel Esler (May 09)
- Re: Snort & email James Riden (May 09)
- Re: Snort & email Jose Maria Lopez Hernandez (May 09)
- Re: Snort & email Bartosz Krajnik (May 11)
- <Possible follow-ups>
- RE: Snort & email Omar Herrera (May 09)
- Re: Snort & email ctooker (May 16)