Snort mailing list archives
E-mail alerting
From: "Andy" <andy () page55 com>
Date: Sun, 19 Sep 2004 22:29:26 -0500
-----Original Message----- From: Andy [mailto:andy () page55 com] Sent: Sunday, September 19, 2004 10:21 PM To: Jason; snort-users () list sourceforge net Subject: RE: [Snort-users] E-mail alerting Well, I've changed swatchrc.txt back to logging to /var/log/IDS-scans, but not seeing a difference. started snort: [root@tunes andy]# snort -c /etc/snort/snort.conf -l /var/log/IDS-scans snort is actively logging. started swatch: [root@tunes andy]# swatch --config-file=/etc/swatchrc.txt after emailing the first alert, even if I restart both snort and swatch, still nothing. I can only seem to get it to work 1 time if I reboot the box. any other ideas? Andy -----Original Message----- From: Jason [mailto:security () brvenik com] Sent: Sunday, September 19, 2004 9:57 PM To: Andy Subject: Re: [Snort-users] E-mail alerting could this be related to the change you made to the logging path? Andy wrote:
Urr.. maybe not. Swatch seems to be working until it gets the first
alert.
Upon getting the alert this message comes up: *** swatch version 3.1.1 (pid:901) started at Sun Sep 19 19:34:12 CDT 2004 sh: /var/log/snort: Is a directory after this, swatch does not send anymore email alerts. Snort continues to log as normal. Anybody? Andy -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Andy Sent: Sunday, September 19, 2004 6:20 PM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] E-mail alerting OK, the mail issue is fixed. I needed to add "tunes.page55.com" to my relay_from_host list in the mail servers main config file. AND Swatch works! Thanks to all who gave their input. This issue is offically closed! Andy -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Andy Sent: Saturday, September 18, 2004 10:36 PM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] E-mail alerting I'm now thinking it may be a Mail problem, because I can't send a test message to the mailserver. I know this isn't the place for mail support, but just hoping someone would be able to give input either way by looking
at
my mail test:
----------------------------------------------------------------------
--
---------
[andy@tunes andy]$ mail -iInv -s "testing" andy () page55 com
EOT
Null message body; hope that's ok
andy () page55 com... Connecting to mail.page55.com. via esmtp...
220 simon.page55.com ESMTP Exim 4.30 Sat, 18 Sep 2004 22:33:36 -0500
>>> EHLO tunes.page55.com
250-simon.page55.com Hello tunes.page55.com [192.168.1.1]
250-SIZE 52428800
250-PIPELINING
250 HELP
>>> MAIL From:<andy () tunes page55 com> SIZE=38
250 OK
>>> RCPT To:<andy () page55 com>
550-Verification failed for <andy () tunes page55 com>
550-Unrouteable address
550 Sender verify failed
>>> RSET
250 Reset OK
/home/andy/dead.letter... Saved message in /home/andy/dead.letter
Closing connection to mail.page55.com.
>>> QUIT
221 simon.page55.com closing connection
----------------------------------------------------------------------
--
-----------
FYI, I've never tried to send emails from this box before...
Thanks,
Andy
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Andy
Sent: Saturday, September 18, 2004 10:00 PM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] E-mail alerting
JUST SOME ADDITIONAL INFORMATION:
you wrote:
> I was busy with my work for past three days,I didn't even
check
snort list.Just now,I checked my mails,saw ur request.Well,I could not get into a conclusion,what might be > the error.Send the line in ur script(ie,/root/.swatch_script.3238 ),where the error points out.I
think,the
mail-id was the problem
> for the error.
this is line 125 that was giving me the error before I removed the
ADDRESS portion of the mail command:
--------------------------------------------------------------------
--
----------------------------------------------------
$swatch_last_flush = $swatch_time_now;
}
if (/Priority/) {
&Swatch::Actions::send_email('ADDRESSES' =>
"andy\@page55.com", 'MESSAGE' => "$_", 'SUBJECT' => "--- Snort IDS
Alert ---", );
&Swatch::Actions::exec_command('MESSAGE' => "$_", 'COMMAND'
=>
"echo $0 >> /var/log/snort", );
next;
--------------------------------------------------------------------
--
-----------------------------------------
AND FYI, I DID verify that snort is actively logging .....
thanks,
Andy
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Andy
Sent: Saturday, September 18, 2004 9:34 PM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] E-mail alerting
Ok, I think I'm getting close.
In /etc/swatchrc.txt, I removed the ADDRESS part of the mail
command, and swatch now runs, AND the /root/.swatch_script.1234 file is
created and I can actually find it.
I get this:
*** swatch version 3.1.1 (pid:2009) started at Sat Sep 18 19:44:05
CDT 2004
To test, I did a port scan, and this popped up:
Invalid attribute name green_h at
/usr/lib/perl5/site_perl/5.6.1/Swatch/Actions.pm line 58
I commented the "echo green_h" line out, and I don't get the
"Invalid attribute name........" error anymore.
Still not getting email alerts however. Do I need the "echo
green_h"
? I would think not....
Next, I changed the logging path, to /var/log/snort to match
snort:
[root@tunes andy]# snort -c /etc/snort/snort.conf -l
/var/log/snort
Running in IDS mode
Log directory = /var/log/snort
Still not getting email alerts however.
This is my current swatchrc file:
[root@tunes etc]# more swatchrc.txt
# Swatch configuration file
#
#
# swatch -c /etc/swatchrc -t /var/log/snort/alert
#
### Snort Alerts
## Watch for entries containing the word 'Priority' in
the
snort alert file.
## Display it in green on the screen
## Mail alert to alerts () yourdomain com with subject of the
email
## being "----Snort IDS Alert----"
## Log in file /var/log/IDS-scans
watchfor /Priority/
# echo green_h
mail andy () page55 com ,subject=--- Snort IDS Alert ---
exec echo $0 >> /var/log/snort
Any ideas, I've got to be sooooo close.....
Thanks,
Andy
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Andy
: Saturday, September 18, 2004 8:01 PM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] E-mail alerting
Hi Prabu,
I cannot find this file. Locate does not find any files named
swatch_script.*
Snort and Swatch are installed on the "tunes.page55.com" server,
and the mailserver I want alerts to be sent to is another server called
"page55.com"
Do I need a mail client running on Tunes? Sendmail is there by
default. I'm not sure how it works, but I'm guessing that Snort would use
the default email client to send an email...
Thankyou for your reply, I wish I could get you the script
info...
I will continue hunting .....
Andy
-----Original Message-----
From: prabu [mailto:prabu333 () hotpop com]
Sent: Tuesday, September 14, 2004 1:08 AM
To: Andy; snort-users () lists sourceforge net
Subject: Re: [Snort-users] E-mail alerting
Hi Andy,
I was busy with my work for past three days,I didn't
even
check snort list.Just now,I checked my mails,saw ur request.Well,I could
not
get into a conclusion,what might be the error.Send the line in ur script(ie,/root/.swatch_script.3238 ),where the error points out.I
think,the
mail-id was the problem
for the error.
First,R u running snort on "page555" server or "tunes"
server.What is the hostname of the machine,where u have installed Snort
and
Swatch.
See,u can send alerts to the useraccounts on the machine,where
u
have installed all thoses stuffs.So change the email-id in the
configuration
file.
This would help U,I hope.
NOTE:
/root/.swatch_script.3238 ----.this is the script that is
generated automatically,while running swatch.
Cheers,
Prabu.S
----- Original Message -----
From: Andy
To: prabu ; snort-users () lists sourceforge net
Sent: Monday, September 13, 2004 5:34 AM
Subject: RE: [Snort-users] E-mail alerting
Hi Prabu,
Excellent post, it prompted me to check out swatch. I had to
install the CPAN mods and the only thing different was that I had to
install
Time-HiRes-1.63 instead of
Time-HiRes-1.59
They all installed ok.
I'm trying to get swatch to read the config file. I followed
the directions, but I'm getting an error:
[root@tunes etc]# swatch --config-file=/etc/swatchrc.txt
Global symbol "@page55" requires explicit package name at
/root/.swatch_script.3238 line 125.
Execution of /root/.swatch_script.3238 aborted due to
compilation errors.
I put the config file in /etc and copied it exactly from
below, except of course I inserted my own email address.
Do you know what this error means?
What is the meaning of the line: /root/.swatch_script.3238
line 125. (specifically the /root/ part.)
Thanks,
Drew
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of prabu
Sent: Saturday, September 04, 2004 12:30 AM
To: snort-users () lists sourceforge net; Carlos M Ospina
Subject: Re: [Snort-users] E-mail alerting
Hello Carlos,
You can use Swatch to get emails alerts from
Snort.
Installing Swatch,is just a child's play,very easier.I
have
given below the necessary steps to configure Swatch.
Hope,this will be useful.If you have,any queries,you can
write to me.............................
Prabu.S
############################################################################
############################################
CONFIGURATION STEPS TO SEND SNORT ALERTS AS E-MAIL:
To receives Snort alerts as E-mail, one can follow the
following steps:
Swatch is the widely used open source
tool
to enable E mail alerts in Snort. Swatch is a utility that monitors system
log files, filters out
unwanted data and takes specified actions (i.e., sending
email, executing a script, etc.) based upon what it finds in the log
files.
So I have used
Swatch to configure snort to send the alerts as E-mail.
NOTE:
Here, it is considered that snort have been already
installed on the host, in which this is to be tested.
[a] Swatch installation:
Download the swatch package, from
http://sourceforge.net/project/showfiles.php?group_id=68627
To install, simply issue the following commands:
perl Makefile.PL
make
make test
make install
make realclean
Swatch installs just like a CPAN module. If you are not
familiar with this process then you may want to read about it by issuing
the
command:
man ExtUtils::MakeMaker
Use the perldoc command if your man cannot find the
document.
If you see messages like these:
Warning: prerequisite Date::Calc 0 not found at (eval 1)
line 219.
Warning: prerequisite Date::Parse 0 not found at (eval 1)
line 219.
Warning: prerequisite File::Tail 0 not found at (eval 1)
line 219.
Warning: prerequisite Time::HiRes 1.12 not found at (eval
1)
line 219.
Then you need to install the CPAN module(s) that it
doesn't
find, before you can use swatch.
You can find these modules at http://search.cpan.org/.
One must download following perl modules from the site
search.cpan.org
1.Bit-Vector-6.3
2.Date-Calc-5.3
3.DateManip-5.42a
4.File-Tail-0.98
5.Time-HiRes-1.59
6.TimeDate-1.16
To install these perl modules,one can follow the same
steps
as said per Swatch,
They are,
perl Makefile.PL
make
make test
make install
make realclean
The Swatch binary will be installed at the /opt/perl/bin/
directory
Then create the swatch configuratiobn file.
cat /etc/swatchrc.txt
==========================================================
# Swatch configuration file
#
#
# swatch -c /etc/swatchrc -t /var/log/snort/alert
#
### Snort Alerts
## Watch for entries containing the word
'Priority'
in the snort alert file.
## Display it in green on the screen
## Mail alert to alerts () yourdomain com with
subject
of the email
## being "----Snort IDS Alert----"
## Log in file /var/log/IDS-scans
watchfor /Priority/
echo green_h
mail addresses=youruseraccount () yourdomain comt
,subject=--- Snort IDS Alert ---
exec echo $0 >> /var/log/IDS-scans
============================================================
THE FINAL STEPS:
[a] Start Snort in NIDS mode:
#./snort -c /snort/iexpress/snort/etc/snort.conf -l
/var/log/snort.
[b] Start swatch:
cd /opt/perl/bin
#./swatch --config-file=/etc/swatchrc.txt
[c] Using Outlook Express:
configure the User's POP3 account and you can recieve
the
emails send by Swatch for each alerts based on the patter
matching the "watchfor"
############################################################################
##############################
Cheers,
Prabu.S
----- Original Message -----
From: Carlos M Ospina
To: snort-users () lists sourceforge net
Sent: Friday, September 03, 2004 7:08 PM
Subject: [Snort-users] E-mail alerting
Is there anyway to configure, with acid, automatic
alerts
by e-mail? is ther eany manual about that?
Thanks in advance.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system
(http://www.grisoft.com).
Version: 6.0.751 / Virus Database: 502 - Release Date:
9/2/2004
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system
(http://www.grisoft.com).
Version: 6.0.760 / Virus Database: 509 - Release Date: 9/10/2004
------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: E-mail alerting Esler, Joel - Contractor (Sep 03)
- <Possible follow-ups>
- RE: E-mail alerting Harper, Patrick (Sep 03)
- Re: E-mail alerting Lyndon Tiu (Sep 03)
- RE: E-mail alerting M Shirk (Sep 13)
- RE: E-mail alerting Jose Maria Lopez (Sep 14)
- E-mail alerting Andy (Sep 19)