RE: [Snort-users] mail notification
This is a discussion on RE: [Snort-users] mail notification within the Snort forums, part of the System Security and Security Related category; I'm currently working on something similar, although my intention is to do daily reports, but I'm doing it ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-21-2004
|
|||
|
|||
RE: [Snort-users] mail notification
I'm currently working on something similar, although my intention is to do
daily reports, but I'm doing it entirely outside snort with perl and shell scripts. The reason for the daily report is that I'm working with the bleeding-snort malware rules for identifying spyware which has less urgency than a genuine break-in. Depending on what you've got in mind, I'll offer what I'm doing as a starting point, but here are the basics. 1) Decide if you want periodic or event-driven notification. For periodic, then set up the job to run with anacron/vixie-cron/cron/whatever, and stop snort, rename the alert file to one with a time-stamp as part of the name, and then restart snort. If you don't want to risk missing something by stopping snort, you can probably (meaning I haven't tried it yet) just make a copy of the current alert file, and diff it with its predecessor to pick up only the most recent stuff. 2) If you want event-driven notification within snort, I'm clueless, but someone else may be able to provide that. Off the top of my head, you could do the diff trick on a tight schedule. 3) Parse out the alert to ID if it's something you care about. I started with the parsing code from snortsnarf (by Stuart Staniford-Chen) and added a bit more (Alert fields have expanded since he first wrote that code), and also dropped off stuff that I don't care about. 4) Email (with mailx) the resulting report. If you want copies of what I'm working on, please reply privately, as I'm still working on putting it together. Hope that helps, Bob -----Original Message----- From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Jimmy Hayes Sent: Tuesday, December 21, 2004 9:37 AM To: snort-users@lists.sourceforge.net Subject: [Snort-users] mail notification Hello I just finished installing snort Version 2.2.0 (Build 30) with mysql database and ACID. My question is, I can see some alerts by going to my ACID site, but is there a way or an option on snort so That I can e-mail me when an alert is triggered? I tried looking in the manual but didn't find anything. thanks ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
