Snort mailing list archives
Re: emailing alerts
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Wed, 21 Apr 2004 19:48:35 +0200
Hi,
try logsurfer, it's really good.
Create a non-privileged user logsurfer, and a directory
/var/log/logsurfer and /etc/logsurfer. Put this in the file
/etc/logsurfer/snort.conf:
# Report priority 1 alerts
'\[Classification: (.*)\] \[Priority: 1\]' - - - 0 open
(.*) - 3 3 - pipe
"/bin/mail -s \"\[SNORT SENSOR 1\] ALERT: Snort detected \
a Priority 1 security incident\" admin () mydomain de"
#
# Ignore the rest
'(.*)' - - - 0 ignore
This will collect 3 following lines in a container and after Prio 1
alert has occured and mail it to the address admin () mydomain de after 3
seconds.
Start logsurfer like this:
su -c "/usr/local/bin/logsurfer -c /etc/logsurfer/snort.conf \
-l `wc -l /var/log/snort/alert | awk '{print $1}'` \
-d /var/log/logsurfer/ls_snort.dump -p /var/run/ls_snort.pid \
-f /var/log/snort/alert &" logsurfer
The stuff about "`wc -l ..." is needed to start logsurfer from the last
line of the file, otherwise you need a really fast Mailserver ;) . Try
Postfix, it can handle over 20000 emails in a few minutes, tested by me
and logsurfer... ;)
A report mail should then look like this: [Classification: Web Application Attack] [Priority: 1]04/19/04-14:38:32.007925 0:E0:18:FE:17:D9 -> 0:2:B3:95:39:FB type:0x800 len:0x5EA 172.16.0.1:48375 -> 10.0.0.10:80 TCP TTL:64 TOS:0x0 ID:37706 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x51314FFA Ack: 0xBD854F62 Win: 0x16D0 TcpLen: 20 Regards, Edin Scott Skrogstad schrieb:
Is there anyway I can get snort to alert me via email when there is a problem ? I have a couple of remote sites that I am trying to monitor but would like an email if there is a problem...Scott
-- Edin Dizdarevic ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- emailing alerts Scott Skrogstad (Apr 21)
- Re: emailing alerts Matt Kettler (Apr 21)
- Re: emailing alerts Edin Dizdarevic (Apr 21)
- AW: emailing alerts Freddie Soerensen (Apr 27)
- <Possible follow-ups>
- RE: emailing alerts Mike Koponick (Apr 21)