Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Real-time email notification

From: "A.L.Lambert" <alambert () manisec com>
Date: Tue, 3 Jul 2001 09:20:32 -0500 (CDT)
Hi,

can anybody tell me a way to check the snort-logfiles in real-time and
send a email to the admin as a notificaiton of a alert?


        Use one of the many logfile monitoring tools (swatch, tail,
logtwatch, logtool, etc, etc, etc.), and/or write your own, and use that
to generate/send e-mail's based on the logs.  One thing you do want to be
careful with, is just how "real-time" you make it.  If you don't have some
sort of rate throttling in there, someone can blow up your inbox by
generating a lot of alerts.

        As a bare-bones example, the following should do something like
what you want (warning: untested script, written off the top of my head)
(also warning: probably Linux-centric script, never done much shell on
other *ix's):

---cut---

#!/bin/bash2

# user configuration stuff.
mailto="mymail () mydomain ext"
throttle=2m
sleepfor=30s

# set TMPDIR if it's not already set.
if [ "$TMPDIR" = "" ] ; then
TMPDIR="/tmp"
fi


while true ; do

        # try to be at least vaguely secure in tmpfile creation
        until [ "$tmpfile" != "" ] ; do
                tmpfile="$TMPDIR/$$.$RANDOM.$RANDOM.logmon"
                if [ -f $tmpfile ] ; then
                        tmpfile=""
                fi
        done
        touch $tmpfile
        chmod 0600 $tmpfile

        # logtail is a state-keeping tail utility.
        logtail /var/log/snort/alert > $tmpfile

        # if filesize isn't 0 bytes, then generate an e-mail.

        find $tmpfile -size 0 2>&1 > /dev/null
        if [ "$?" != "0" ] ; then
                cat $tmpfile | mail -s $mailto
                # throttle the next e-mail send.
                sleep $throttle
        fi
        # kill the tmpfile
        rm -f $tmpfile
        # sleep for a few seconds so we don't burn too much CPU time
        # repeatedly reading the logfile.
        sleep $sleepfor
        # rinse, lather, repeat.
done

---cut---

        Cheers!

-- 
A.L.Lambert 
Chief Technical Officer - ManISec Inc.
E-Mail: alambert () manisec com
------------------------------------------------------------------------
Everything should be made as simple as possible, but not simpler.
        -Einstein
------------------------------------------------------------------------


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: