Re: snort output

[Matt Kettler <mkettler () evi-inc com>]

At 10:32 AM 7/23/2003 -0600, Slighter, Tim wrote:
> How difficult would it be to configure an output for "sendmail" or "mail"
> since syslog, unified, tcpdump and others are already in place?  has anyone
> attempted this and if so would they have some recommendations on how anyone
> could work on this project?

It's in the FAQ. #5.9.

In short, no snort can't do it directly and you don't want it to, but you 
can use a secondary tool to do this.



5.9 How do I get snort to e-mail me alerts?

You can't. Such a process would slow Snort down too much to make it of any use.
Instead, log to syslog and use swatch or logcheck to parse over the plaintext
logfiles.

With the logsurfer docs, this might get you on the road to doing something with
snort & logsurfer:

    http://www.obfuscation.org/emf/logsurfer/snort.txt

JASON HAAR provided an example Swatch (3.1beta) config that emails alerts:

    http://www.theadamsfamily.net/~erek/snort/snort-swatch.conf.txt

Here are some docs on swatch:

  * http://www.oit.ucsb.edu/~eta/swatch/
  * http://www.stanford.edu/~atkins/swatch
  * http://rr.sans.org/sysadmin/swatch.php
  * http://www.enteract.com/~lspitz/swatch.html
  * http://www.cert.org/security-improvement/implementations/i042.01.html

IDS Center (see FAQ 5) on Win32 will also mail alerts.






-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users