RE: [Snort-users] Snort auotmatic email alert.
This is a discussion on RE: [Snort-users] Snort auotmatic email alert. within the Snort forums, part of the System Security and Security Related category; Hmmm... At the risk of "making this more complicated" you might consider "swatch" by Todd Atkins. ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-10-2004
|
|||
|
|||
RE: [Snort-users] Snort auotmatic email alert.
Hmmm... At the risk of "making this more complicated" you might consider
"swatch" by Todd Atkins. It allows a bit of flexibility in what gets = sent and how often (i.e. wouldn't send 5000 messages in 1 minute, could send = a "saw this 5000 times in 1 minute" email) Works off tailing the snort (or any other) log file and uses simple expressions to determine what action (email, command, etc. ) to run. Later, Jim -----Original Message----- From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Frank = Knobbe Sent: Sunday, August 08, 2004 7:24 PM To: Lyndon Tiu; snort-users@lists.sourceforge.net Subject: Re: [Snort-users] Snort auotmatic email alert. On Fri, 2004-08-06 at 19:23, Erik Fichtner wrote: > My god.. another notification tool that's wrapped all up in MySQL.=20 > Don't make this harder than it needs to be. heh... I agree. Below is what I use for email alerts. It goes through = all /var/log/*snort* directories (if you have more than one instance of = snort running), but you may need to adjust path or filter name. Also, make = sure you have: output log_ascii: in your snort.conf and that you run it with "-l /var/log/snort-something = -d" (application layer dump comes in really handy. Further replace mailsubj = with sendmail or whatever else you use. I suggest using cron to run this every minute. Regards, Frank ---8<--- #! /bin/sh if [ -e /var/run/mailsnort ];then echo MailSnort already running... skipping this instance... exit 0 fi touch /var/run/mailsnort for logdir in `ls /var/log | grep snort`;do cd /var/log/$logdir for dir in `ls | grep -v alert.ids`;do cd $dir echo Sending $dir for file in `ls`;do cat $file | mailsubj "$logdir: $dir - $file" your@address.here.com rm $file done cd .. rmdir $dir 2> /dev/null done done rm /var/run/mailsnort --->8--- ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
