Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort auotmatic email alert.

From: "Jim Hendrick" <jrhendri () maine rr com>
Date: Mon, 9 Aug 2004 19:20:35 -0400
Hmmm... At the risk of "making this more complicated" you might consider
"swatch" by Todd Atkins. It allows a bit of flexibility in what gets sent
and how often (i.e. wouldn't send 5000 messages in 1 minute, could send a
"saw this 5000 times in 1 minute" email)

Works off tailing the snort (or any other) log file and uses simple
expressions to determine what action (email, command, etc. ) to run.

Later,
Jim


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Frank Knobbe
Sent: Sunday, August 08, 2004 7:24 PM
To: Lyndon Tiu; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort auotmatic email alert.


On Fri, 2004-08-06 at 19:23, Erik Fichtner wrote:

My god.. another notification tool that's wrapped all up in MySQL. 
Don't make this harder than it needs to be.


heh... I agree. Below is what I use for email alerts. It goes through all
/var/log/*snort* directories (if you have more than one instance of snort
running), but you may need to adjust path or filter name. Also, make sure
you have:
  output log_ascii:
in your snort.conf and that you run it with "-l /var/log/snort-something -d"
(application layer dump comes in really handy. Further replace mailsubj with
sendmail or whatever else you use.

I suggest using cron to run this every minute.

Regards,
Frank

---8<---

#! /bin/sh

if [ -e /var/run/mailsnort ];then
   echo MailSnort already running... skipping this instance...
   exit 0
fi
touch /var/run/mailsnort
for logdir in `ls /var/log | grep snort`;do
   cd /var/log/$logdir
   for dir in `ls | grep -v alert.ids`;do
      cd $dir
      echo Sending $dir
      for file in `ls`;do
         cat $file | mailsubj "$logdir:  $dir  -  $file"
your () address here com
         rm $file
      done
      cd ..
      rmdir $dir 2> /dev/null
   done
done
rm /var/run/mailsnort

--->8---






-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: