Re: [Snort-users] Snort auotmatic email alert.
This is a discussion on Re: [Snort-users] Snort auotmatic email alert. within the Snort forums, part of the System Security and Security Related category; --=-lH37K4GLDrco0/vUPriG Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Fri, 2004-08-06 at 19:23, Erik ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-09-2004
|
|||
|
|||
Re: [Snort-users] Snort auotmatic email alert.
--=-lH37K4GLDrco0/vUPriG Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Fri, 2004-08-06 at 19:23, Erik Fichtner wrote: > My god.. another notification tool that's wrapped all up in MySQL. > Don't make this harder than it needs to be. heh... I agree. Below is what I use for email alerts. It goes through all /var/log/*snort* directories (if you have more than one instance of snort running), but you may need to adjust path or filter name. Also, make sure you have: output log_ascii: in your snort.conf and that you run it with "-l /var/log/snort-something -d" (application layer dump comes in really handy. Further replace mailsubj with sendmail or whatever else you use. I suggest using cron to run this every minute. Regards, Frank ---8<--- #! /bin/sh if [ -e /var/run/mailsnort ];then echo MailSnort already running... skipping this instance... exit 0 fi touch /var/run/mailsnort for logdir in `ls /var/log | grep snort`;do cd /var/log/$logdir for dir in `ls | grep -v alert.ids`;do cd $dir echo Sending $dir for file in `ls`;do cat $file | mailsubj "$logdir: $dir - $file" your@address.here.com rm $file done cd .. rmdir $dir 2> /dev/null done done rm /var/run/mailsnort --->8--- --=-lH37K4GLDrco0/vUPriG Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBBFrYQJjGc5ftAw8wRAkthAJ0aek/YEmctwtVyMQcR9TCj4yFDVACgoH3X 0cugpPoPBPn5gPt+xmRGVh0= =/Cib -----END PGP SIGNATURE----- --=-lH37K4GLDrco0/vUPriG-- ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
