Re: E-mail alerting

["prabu" <prabu333 () hotpop com>]

Hi Andy,
      I was busy with my work for past three days,I didn't even check snort list.Just now,I checked my mails,saw ur 
request.Well,I could not get into a conclusion,what might be the error.Send the line in ur 
script(ie,/root/.swatch_script.3238 ),where the error points out.I think,the mail-id was the problem 
for the error.

First,R u running snort on "page555" server or "tunes" server.What is the hostname of the machine,where u have 
installed Snort and Swatch.
See,u can send alerts to the useraccounts on the machine,where u have installed all thoses stuffs.So change the 
email-id in the configuration file.
This would help U,I hope.

NOTE:
/root/.swatch_script.3238  ----.this is the script that is generated automatically,while running swatch.



Cheers,
Prabu.S
  ----- Original Message ----- 
  From: Andy 
  To: prabu ; snort-users () lists sourceforge net 
  Sent: Monday, September 13, 2004 5:34 AM
  Subject: RE: [Snort-users] E-mail alerting


  Hi Prabu,

  Excellent post, it prompted me to check out swatch. I had to install the CPAN mods and the only thing different was 
that I had to install Time-HiRes-1.63 instead of 
  Time-HiRes-1.59

  They all installed ok.

  I'm trying to get swatch to read the config file. I followed the directions, but I'm getting an error:

  [root@tunes etc]# swatch --config-file=/etc/swatchrc.txt
  Global symbol "@page55" requires explicit package name at /root/.swatch_script.3238 line 125.
  Execution of /root/.swatch_script.3238 aborted due to compilation errors.

  I put the config file in /etc and copied it exactly from below, except of course I inserted my own email address.

  Do you know what this error means?

  What is the meaning of the line: /root/.swatch_script.3238 line 125.  (specifically the /root/ part.)

  Thanks,

  Drew
    -----Original Message-----
    From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of 
prabu
    Sent: Saturday, September 04, 2004 12:30 AM
    To: snort-users () lists sourceforge net; Carlos M Ospina
    Subject: Re: [Snort-users] E-mail alerting


    Hello Carlos,
                You can use Swatch to get emails alerts from Snort.

     Installing Swatch,is just a child's play,very easier.I have given below the necessary steps to configure Swatch.
    Hope,this will be useful.If you have,any queries,you can write to me.............................


    Prabu.S



    
########################################################################################################################



    CONFIGURATION STEPS TO SEND SNORT ALERTS AS E-MAIL:



    To receives Snort alerts as E-mail, one can follow the following steps:

                      Swatch is the widely used open source tool to enable E mail alerts in Snort. Swatch is a utility 
that monitors system log files, filters out 
    unwanted data and takes specified actions (i.e., sending email, executing a script, etc.) based upon what it finds 
in the log files. So I have used 
    Swatch to configure snort to send the alerts as E-mail.

    NOTE:
      Here, it is considered that snort have been already installed on the host, in which this is to be tested.

    [a] Swatch installation:

    Download the swatch package, from http://sourceforge.net/project/showfiles.php?group_id=68627
    To install, simply issue the following commands: 

                   perl Makefile.PL
                   make
                   make test
                   make install
                  make realclean
        
    Swatch installs just like a CPAN module. If you are not familiar with this process then you may want to read about 
it by issuing the command: 

    man ExtUtils::MakeMaker
          
    Use the perldoc command if your man cannot find the document. 

    If you see messages like these: 

    Warning: prerequisite Date::Calc 0 not found at (eval 1) line 219.
    Warning: prerequisite Date::Parse 0 not found at (eval 1) line 219.
    Warning: prerequisite File::Tail 0 not found at (eval 1) line 219.
    Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) line 219.
          

    Then you need to install the CPAN module(s) that it doesn't find, before you can use swatch. 
    You can find these modules at http://search.cpan.org/. 

    One must download following perl modules from the site search.cpan.org

                1.Bit-Vector-6.3   
                2.Date-Calc-5.3    
                3.DateManip-5.42a  
                4.File-Tail-0.98   
                5.Time-HiRes-1.59  
                6.TimeDate-1.16

    To install these perl modules,one can follow the same steps as said per Swatch,
    They are,

                 perl Makefile.PL
                 make
                 make test
                 make install
                 make realclean

    The Swatch binary will be installed at the /opt/perl/bin/ directory

    Then create the swatch configuratiobn file.

    cat /etc/swatchrc.txt

    ==========================================================
    # Swatch configuration file

           #
           #
           # swatch -c /etc/swatchrc -t /var/log/snort/alert 
           #
           ###   Snort Alerts
           ##  Watch for entries containing the word 'Priority'  in the snort alert file.
           ##  Display it in green on the screen
           ##  Mail alert to alerts () yourdomain com with subject of the email 
           ##   being "----Snort IDS Alert----"
           ##  Log in file /var/log/IDS-scans


           watchfor /Priority/
           echo green_h
           mail addresses=youruseraccount () yourdomain comt ,subject=--- Snort IDS Alert ---
           exec echo $0 >> /var/log/IDS-scans

     ============================================================ 

    THE FINAL STEPS:
     
    [a] Start Snort in NIDS mode:
     
      #./snort -c /snort/iexpress/snort/etc/snort.conf -l /var/log/snort.
                 
    [b] Start swatch:

      cd /opt/perl/bin
      #./swatch --config-file=/etc/swatchrc.txt 

    [c] Using Outlook Express:
       
       configure the User's POP3 account and you can recieve the emails send by Swatch for each alerts based on the 
patter 
       matching the "watchfor" 



    ##########################################################################################################


    Cheers,
    Prabu.S





      ----- Original Message ----- 
      From: Carlos M Ospina 
      To: snort-users () lists sourceforge net 
      Sent: Friday, September 03, 2004 7:08 PM
      Subject: [Snort-users] E-mail alerting



      Is there anyway to configure, with acid, automatic alerts by e-mail? is ther eany manual about that? 

      Thanks in advance.


      ---
      Outgoing mail is certified Virus Free.
      Checked by AVG anti-virus system (http://www.grisoft.com).
      Version: 6.0.751 / Virus Database: 502 - Release Date: 9/2/2004


      ---
      Outgoing mail is certified Virus Free.
      Checked by AVG anti-virus system (http://www.grisoft.com).
      Version: 6.0.760 / Virus Database: 509 - Release Date: 9/10/2004