Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort email alert

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 23 May 2002 11:35:14 -0400
Well, I admit up front that I do not understand what exactly you are looking for, since I do not understand your question very well. So what follows is merely an educated guess of what might answer your question.
At any rate, swatch, logwatch and similar tools are "log watchers". They watch a logfile on disk, periodically scanning the latest information in it, and triggering various programs to be run if certain text strings appear in the log.
Swatch can watch a syslog file, or any other logfile you want, like the text mode snort alerts file.
So something along the lines of "swatch -t /home/snort/var/log/snort/alert" is probably a good start, depending on where you run snort from and where your alert file is. (yes I am paranoid, yes I do chroot my snort daemon, no that's not where I chroot it to) 

For your swatch configuration you might want something as simple as this:
/WEB-IIS cmd.exe access/ exec= "echo "IIS cmd.exe" | mail me () somewhere com"
You can get a lot more elaborate, but I personally don't use this kind of setup, so if you want something more detailed, you might want to ask a more specific question to the list and lets someone else answer it. 


At 10:20 AM 5/23/2002 -0400, Math wrote:
I've not find good clear explain to install a mail alert if my computer is scan using snort. I got swatch and i think i can configure it in my syslog to alert me. Anybody can refer my a good clear site or explain me how i can configure it to get different kind of email alert? 

ulaval student
Canada
Math



_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: