Snort mailing list archives

RE: How can I setup Snort to e-mail alerts?

From: "Mark W. Davis" <mwd () netvisage net>
Date: Fri, 22 Jun 2001 12:13:35 -0700
I use logcheck to parse syslog files and e-mail the results. I also
hacked up a perl script that appends to the logcheck output the IP 
address, port, protocol, and number of attempts per IP address per 
port. Here is the relevant section of logcheck and the perl hack:

-------------------------------------------------------------------
...

# run parser on the report
if [ -f "$TMPDIR/checkreport.$$" ]; then
  /usr/local/hacks/myparse $TMPDIR/checkreport.$$ > /tmp/myparse.$$
  if [ -s /tmp/myparse.$$ ];then
    cat /tmp/myparse.$$ >> $TMPDIR/checkreport.$$
  fi
  rm -f /tmp/myparse.$$
fi

# If there are results, mail them to sysadmin

...
-------------------------------------------------------------------



#!/usr/bin/perl
# myparse - append to logcheck output the name lookup, tries, and protocols
#           of firewall violators.
#
# logcheck output has been modified to NOT LOG firewall DENYs in its
# Security Violations section. The DENYs are still logged in the
# Unusual Events section. This script parses the Unusual Events section
# of logchecks output (see the UNK hack).
#
# mwd - mwd () speakeasy org
#
#

use Socket;

@uniq = ();
%seen = ();
%services = ();
%hostnames = ();
sub getpname;
sub gethname;

%protocols = (
               0 => "IP",
               1 => "ICMP",
               2 => "IGMP",
               3 => "GGP",
               6 => "TCP",
               12 => "PUP",
               17 => "UDP"
              );

print "\n\n";

# added mysql check to restart snort if it cannot log
# to the database. I think that the problem is wait_timeouts from the
# db server.
#
$mydead = 0;
# Hack to just parse the Unusual events section
$UNK = 0;
while (<>) {
    # search for string 'MySQL server has gone away'
    if ($mydead == 0) {
        $mydead = 1 if (/server has gone away/);
    }

    # need to add other UNKS for web log, etc...
    $UNK = 1 if (/Unusual/);
    if ($UNK == 1) {
        # might want to add REJECT also
        if(/DENY/ || /ACCEPT/) { 
          if(/.*?PROTO=(\d+).*?(\d+\.\d+\.\d+\.\d+:\d{1,5})\s+(\d+\.\d+\.\d+\.\d+:\d{1,5}).*/) {
            my $temp = "$1|$2|$3";
            push(@uniq, $temp) unless $seen{$temp}++;
          }
        }
    }
}

# Restart snort daemon if database times out
if($mydead == 1) {
    system("/etc/rc.d/init.d/snortd restart >/dev/null");
}

if(keys(%seen)) {

  # open services file and snarf items
  open(WAK, "< /etc/services") or die "Can't open /etc/services for reading: $!\n";

  while(<WAK>) {
    if(!/^#|^\s/) {
      ($servname, $tmp_port, $description) = split;
      ($port, $protname) = split(/\//, $tmp_port);
     $services{$port} = $servname;
    }
  }

  foreach $key (keys %seen) {
    $value = $seen{$key};

    ($prt, $src, $dest) = split(/\|/, $key);
    ($saddr, $sport) = split(/:/, $src);
    ($daddr, $dport) = split(/:/, $dest);

    $shostname = gethname $saddr;
    $dhostname = gethname $daddr;
    $sportname = getpname $sport;
    $dportname = getpname $dport;
    $tol = $protocols{$prt};
    
    write;
    
  }

  print "\n\n\nAddress to Host Translations\n----------------------------\n";
  print "\n";
  foreach $key (keys %hostnames) {
      $value = $hostnames{$key};
      print "$key\t\t$value\n";
  }
}
exit;

sub gethname {
    my $host = $_[0];
    if(exists $hostnames{$host}) {
        $name = $hostnames{$host};
    } else {
        $name = gethostbyaddr(inet_aton($host), AF_INET) or $name = $host;
        $hostnames{$host} = $name unless $name eq $host;
    }
    return $name;
}

sub getpname {
    my $pnum = $_[0];
    if(exists $services{$pnum}) {
        $name = $services{$pnum};
    } else {
        $name = "UNPRIV";
    }
    return $name;
}

format STDOUT_TOP =
                                        
                                   Translation

Source address                       Port            Destination address  Port        Tries Protocol
-----------------------------------------------------------------------------------------------------
.
format =
@<<<<<<<<<<<<<<<<<<<<<< @<<<<<<<<<<<<<<< @<<<<<<<<<< @<<<<<<<<<<<<<<<<<<< @<<<<<<<<<< @|||| @||||
$shostname,             $saddr,          $sportname, $dhostname,          $dportname, $value, $tol
. 
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Yom,
Francis
Sent: Thursday, June 21, 2001 7:22 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] How can I setup Snort to e-mail alerts?


Greetings,

I would like to know how, if it is possible, to set up snort to e-mail
alerts to an administrator.  

Thanks in advance,
Francis

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

How can I setup Snort to e-mail alerts? Yom, Francis (Jun 21)
- Re: How can I setup Snort to e-mail alerts? Ralf Hildebrandt (Jun 22)
- RE: How can I setup Snort to e-mail alerts? Mark W. Davis (Jun 22)
- <Possible follow-ups>
- Fwd: Re: How can I setup Snort to e-mail alerts? Tremaine Lea (Jun 22)
- RE: How can I setup Snort to e-mail alerts? Sheahan, Paul (PCLN-NW) (Jun 22)