Re: Snort auotmatic email alert.

[Frank Knobbe <frank () knobbe us>]

On Fri, 2004-08-06 at 19:23, Erik Fichtner wrote:
> My god.. another notification tool that's wrapped all up in MySQL.
> Don't make this harder than it needs to be.

heh... I agree. Below is what I use for email alerts. It goes through
all /var/log/*snort* directories (if you have more than one instance of
snort running), but you may need to adjust path or filter name. Also,
make sure you have:
  output log_ascii:
in your snort.conf and that you run it with "-l /var/log/snort-something
-d" (application layer dump comes in really handy.
Further replace mailsubj with sendmail or whatever else you use.

I suggest using cron to run this every minute.

Regards,
Frank

---8<---

#! /bin/sh

if [ -e /var/run/mailsnort ];then
   echo MailSnort already running... skipping this instance...
   exit 0
fi
touch /var/run/mailsnort
for logdir in `ls /var/log | grep snort`;do
   cd /var/log/$logdir
   for dir in `ls | grep -v alert.ids`;do
      cd $dir
      echo Sending $dir
      for file in `ls`;do
         cat $file | mailsubj "$logdir:  $dir  -  $file"
your () address here com
         rm $file
      done
      cd ..
      rmdir $dir 2> /dev/null
   done
done
rm /var/run/mailsnort

--->8---

Attachment: signature.asc
Description: This is a digitally signed message part