Snort mailing list archives
RE: E-mail alerting
From: "Andy" <andy () page55 com>
Date: Sat, 18 Sep 2004 21:59:57 -0500
JUST SOME ADDITIONAL INFORMATION: you wrote:
I was busy with my work for past three days,I didn't even check snort
list.Just now,I checked my mails,saw ur request.Well,I could not get into a conclusion,what might be > the error.Send the line in ur script(ie,/root/.swatch_script.3238 ),where the error points out.I think,the mail-id was the problem
for the error.
this is line 125 that was giving me the error before I removed the ADDRESS
portion of the mail command:
----------------------------------------------------------------------------
----------------------------------------------
$swatch_last_flush = $swatch_time_now;
}
if (/Priority/) {
&Swatch::Actions::send_email('ADDRESSES' => "andy\@page55.com",
'MESSAGE' => "$_", 'SUBJECT' => "--- Snort IDS Alert ---", );
&Swatch::Actions::exec_command('MESSAGE' => "$_", 'COMMAND' => "echo
$0 >> /var/log/snort", );
next;
----------------------------------------------------------------------------
-----------------------------------
AND FYI, I DID verify that snort is actively logging .....
thanks,
Andy
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Andy
Sent: Saturday, September 18, 2004 9:34 PM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] E-mail alerting
Ok, I think I'm getting close.
In /etc/swatchrc.txt, I removed the ADDRESS part of the mail command, and
swatch now runs, AND the /root/.swatch_script.1234 file is created and I can
actually find it.
I get this:
*** swatch version 3.1.1 (pid:2009) started at Sat Sep 18 19:44:05 CDT
2004
To test, I did a port scan, and this popped up:
Invalid attribute name green_h at
/usr/lib/perl5/site_perl/5.6.1/Swatch/Actions.pm line 58
I commented the "echo green_h" line out, and I don't get the "Invalid
attribute name........" error anymore.
Still not getting email alerts however. Do I need the "echo green_h" ? I
would think not....
Next, I changed the logging path, to /var/log/snort to match snort:
[root@tunes andy]# snort -c /etc/snort/snort.conf -l /var/log/snort
Running in IDS mode
Log directory = /var/log/snort
Still not getting email alerts however.
This is my current swatchrc file:
[root@tunes etc]# more swatchrc.txt
# Swatch configuration file
#
#
# swatch -c /etc/swatchrc -t /var/log/snort/alert
#
### Snort Alerts
## Watch for entries containing the word 'Priority' in the snort
alert file.
## Display it in green on the screen
## Mail alert to alerts () yourdomain com with subject of the email
## being "----Snort IDS Alert----"
## Log in file /var/log/IDS-scans
watchfor /Priority/
# echo green_h
mail andy () page55 com ,subject=--- Snort IDS Alert ---
exec echo $0 >> /var/log/snort
Any ideas, I've got to be sooooo close.....
Thanks,
Andy
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Andy
: Saturday, September 18, 2004 8:01 PM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] E-mail alerting
Hi Prabu,
I cannot find this file. Locate does not find any files named
swatch_script.*
Snort and Swatch are installed on the "tunes.page55.com" server, and
the mailserver I want alerts to be sent to is another server called
"page55.com"
Do I need a mail client running on Tunes? Sendmail is there by default.
I'm not sure how it works, but I'm guessing that Snort would use the default
email client to send an email...
Thankyou for your reply, I wish I could get you the script info... I
will continue hunting .....
Andy
-----Original Message-----
From: prabu [mailto:prabu333 () hotpop com]
Sent: Tuesday, September 14, 2004 1:08 AM
To: Andy; snort-users () lists sourceforge net
Subject: Re: [Snort-users] E-mail alerting
Hi Andy,
I was busy with my work for past three days,I didn't even check
snort list.Just now,I checked my mails,saw ur request.Well,I could not get
into a conclusion,what might be the error.Send the line in ur
script(ie,/root/.swatch_script.3238 ),where the error points out.I think,the
mail-id was the problem
for the error.
First,R u running snort on "page555" server or "tunes" server.What is
the hostname of the machine,where u have installed Snort and Swatch.
See,u can send alerts to the useraccounts on the machine,where u have
installed all thoses stuffs.So change the email-id in the configuration
file.
This would help U,I hope.
NOTE:
/root/.swatch_script.3238 ----.this is the script that is generated
automatically,while running swatch.
Cheers,
Prabu.S
----- Original Message -----
From: Andy
To: prabu ; snort-users () lists sourceforge net
Sent: Monday, September 13, 2004 5:34 AM
Subject: RE: [Snort-users] E-mail alerting
Hi Prabu,
Excellent post, it prompted me to check out swatch. I had to install
the CPAN mods and the only thing different was that I had to install
Time-HiRes-1.63 instead of
Time-HiRes-1.59
They all installed ok.
I'm trying to get swatch to read the config file. I followed the
directions, but I'm getting an error:
[root@tunes etc]# swatch --config-file=/etc/swatchrc.txt
Global symbol "@page55" requires explicit package name at
/root/.swatch_script.3238 line 125.
Execution of /root/.swatch_script.3238 aborted due to compilation
errors.
I put the config file in /etc and copied it exactly from below,
except of course I inserted my own email address.
Do you know what this error means?
What is the meaning of the line: /root/.swatch_script.3238 line 125.
(specifically the /root/ part.)
Thanks,
Drew
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of prabu
Sent: Saturday, September 04, 2004 12:30 AM
To: snort-users () lists sourceforge net; Carlos M Ospina
Subject: Re: [Snort-users] E-mail alerting
Hello Carlos,
You can use Swatch to get emails alerts from Snort.
Installing Swatch,is just a child's play,very easier.I have given
below the necessary steps to configure Swatch.
Hope,this will be useful.If you have,any queries,you can write to
me.............................
Prabu.S
############################################################################
############################################
CONFIGURATION STEPS TO SEND SNORT ALERTS AS E-MAIL:
To receives Snort alerts as E-mail, one can follow the following
steps:
Swatch is the widely used open source tool to
enable E mail alerts in Snort. Swatch is a utility that monitors system log
files, filters out
unwanted data and takes specified actions (i.e., sending email,
executing a script, etc.) based upon what it finds in the log files. So I
have used
Swatch to configure snort to send the alerts as E-mail.
NOTE:
Here, it is considered that snort have been already installed on
the host, in which this is to be tested.
[a] Swatch installation:
Download the swatch package, from
http://sourceforge.net/project/showfiles.php?group_id=68627
To install, simply issue the following commands:
perl Makefile.PL
make
make test
make install
make realclean
Swatch installs just like a CPAN module. If you are not familiar
with this process then you may want to read about it by issuing the command:
man ExtUtils::MakeMaker
Use the perldoc command if your man cannot find the document.
If you see messages like these:
Warning: prerequisite Date::Calc 0 not found at (eval 1) line 219.
Warning: prerequisite Date::Parse 0 not found at (eval 1) line
219.
Warning: prerequisite File::Tail 0 not found at (eval 1) line 219.
Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) line
219.
Then you need to install the CPAN module(s) that it doesn't find,
before you can use swatch.
You can find these modules at http://search.cpan.org/.
One must download following perl modules from the site
search.cpan.org
1.Bit-Vector-6.3
2.Date-Calc-5.3
3.DateManip-5.42a
4.File-Tail-0.98
5.Time-HiRes-1.59
6.TimeDate-1.16
To install these perl modules,one can follow the same steps as
said per Swatch,
They are,
perl Makefile.PL
make
make test
make install
make realclean
The Swatch binary will be installed at the /opt/perl/bin/
directory
Then create the swatch configuratiobn file.
cat /etc/swatchrc.txt
==========================================================
# Swatch configuration file
#
#
# swatch -c /etc/swatchrc -t /var/log/snort/alert
#
### Snort Alerts
## Watch for entries containing the word 'Priority' in
the snort alert file.
## Display it in green on the screen
## Mail alert to alerts () yourdomain com with subject of the
email
## being "----Snort IDS Alert----"
## Log in file /var/log/IDS-scans
watchfor /Priority/
echo green_h
mail addresses=youruseraccount () yourdomain comt ,subject=---
Snort IDS Alert ---
exec echo $0 >> /var/log/IDS-scans
============================================================
THE FINAL STEPS:
[a] Start Snort in NIDS mode:
#./snort -c /snort/iexpress/snort/etc/snort.conf -l
/var/log/snort.
[b] Start swatch:
cd /opt/perl/bin
#./swatch --config-file=/etc/swatchrc.txt
[c] Using Outlook Express:
configure the User's POP3 account and you can recieve the
emails send by Swatch for each alerts based on the patter
matching the "watchfor"
############################################################################
##############################
Cheers,
Prabu.S
----- Original Message -----
From: Carlos M Ospina
To: snort-users () lists sourceforge net
Sent: Friday, September 03, 2004 7:08 PM
Subject: [Snort-users] E-mail alerting
Is there anyway to configure, with acid, automatic alerts by
e-mail? is ther eany manual about that?
Thanks in advance.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.751 / Virus Database: 502 - Release Date: 9/2/2004
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.760 / Virus Database: 509 - Release Date: 9/10/2004
Current thread:
- Re: Help with pass rule, (continued)
- Re: Help with pass rule sekure (Sep 02)
- Re: Help with pass rule prabu (Sep 02)
- Re: Help with pass rule sekure (Sep 03)
- E-mail alerting Carlos M Ospina (Sep 03)
- Re: E-mail alerting Keith W. McCammon (Sep 03)
- Re: E-mail alerting prabu (Sep 03)
- RE: E-mail alerting Andy (Sep 12)
- Re: E-mail alerting prabu (Sep 13)
- RE: E-mail alerting Andy (Sep 18)
- RE: E-mail alerting Andy (Sep 18)
- RE: E-mail alerting Andy (Sep 18)
- RE: E-mail alerting Andy (Sep 18)
- RE: E-mail alerting Andy (Sep 19)
- RE: E-mail alerting Andy (Sep 19)
- Re: E-mail alerting Jason (Sep 18)
- my sql support in php sEc nErD (Sep 01)
- Re: my sql support in php Sean Brown (Sep 01)
- Re: my sql support in php James Riden (Sep 01)