[Snort-users] How to enable mail notication?

Glenn E. Bailey III

unread,

Jan 23, 2002, 11:24:40 AM1/23/02

to

Here is a quick and really dirty script I run, you have
to setup snort to log via syslog and setup syslog to log
snort alerts to a seperate file .. Only good if you have
a small site really, and like I said, it's dirty:

#!/usr/bin/perl

use strict;

my $snort_log = '/var/log/snort.log'; # location of snort.log generated
by syslog
my $snort_log_old = '/var/log/snort/old/snort'; # path to dir where to store
old logs
my $notify_log = '/var/log/snort/notify.log'; # path to log where to log
notifications
my $email = 'your...@blah.com'; # guess what this is ;-)

open(SNORT_LOG, "$snort_log");

if (! <SNORT_LOG>) {
exit();
}

else {
system("mail $email -s \"Snort alert\" < $snort_log");

open(NOTIFY, ">>$notify_log");
my $localtime = localtime();
print NOTIFY "$localtime - Alert sent to $email\n";
close NOTIFY;

my $time = time();
system("mv $snort_log $snort_log_old.$time");
system("kill -SIGHUP \`cat /var/run/syslogd.pid\`");
exit();
}

-----Original Message-----
From: snort-us...@lists.sourceforge.net
[mailto:snort-us...@lists.sourceforge.net]On Behalf Of Erek Adams
Sent: Wednesday, January 23, 2002 9:50 AM
To: My Security
Cc: snort...@lists.sourceforge.net
Subject: Re: [Snort-users] How to enable mail notication?

On Wed, 23 Jan 2002, My Security wrote:

> I would like to enable sending mail if there is alert
> on my email address.
>
> How will I be able to configure this option to the
> snort.conf.

You can't.

http://www.snort.org/docs/faq.html#5.7

Also read the users manual from the Documentation page. The rest of the FAQ
won't hurt either....

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net

_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

My Security

unread,

Jan 23, 2002, 1:12:14 PM1/23/02

to

Thanks for your feedback. I will try this later on.

--- Matt Kettler <mket...@evi-inc.com> wrote:
>
> from the snort FAQ:
> -----------
> 5.7 --faq-- --snort-- --faq-- --snort-- --faq--
> --snort-- --faq--
>
> Q: How do I get snort to e-mail me alerts? A: Log to
> syslog and use swatch
> or logcheck.
> -----------
>
> See FAQ 5.9 for why doing computationally expensive
> things in the logging
> chain of snort creates security holes. (It is about
> invoking processes in
> the log chain, but I suspect doing a SMTP client in
> the log chain is pretty
> bad too, for the very same reasons.)
>
>
> At 06:58 AM 1/23/2002 -0800, My Security wrote:
> >Hi there!

> >
> >I would like to enable sending mail if there is
> alert
> >on my email address.
> >
> >How will I be able to configure this option to the
> >snort.conf.
> >

> >Thanks in advance.
>

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

Michael Aylor

unread,

Jan 23, 2002, 8:38:22 PM1/23/02

to

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C1A42E.9BA44710
Content-Type: text/plain;
charset="iso-8859-1"

This is fantastic, been meaning to figure out how to do this...

Can you provide a glimpse of what your syslog.conf file looks like?

Mike

#!/usr/bin/perl

use strict;

open(SNORT_LOG, "$snort_log");

> I would like to enable sending mail if there is alert
> on my email address.
>
> How will I be able to configure this option to the
> snort.conf.

You can't.

http://www.snort.org/docs/faq.html#5.7

Also read the users manual from the Documentation page. The rest of the FAQ
won't hurt either....

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net

_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

CONFIDENTIALITY NOTICE:

************************************************************************

The information contained in this ELECTRONIC MAIL transmission
is confidential. It may also be privileged work product or proprietary
information. This information is intended for the exclusive use of the
addressee(s). If you are not the intended recipient, you are hereby
notified that any use, disclosure, dissemination, distribution [other
than to the addressee(s)], copying or taking of any action because
of this information is strictly prohibited.

************************************************************************

------_=_NextPart_001_01C1A42E.9BA44710
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Diso-8859-=
1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version 5.5.2653.12">
<TITLE>RE: [Snort-users] How to enable mail notication?</TITLE>
</HEAD>
<BODY>

This is fantastic, been meaning to figure out how to do t=
his...

Can you provide a glimpse of what your syslog.conf file l=
ooks like?

Mike

-----Original Message-----
 From: Glenn E. Bailey III [<A HREF=3D"mailto:gbailey@spr=
ocketdata.com">mailto:gba...@sprocketdata.com</A>]
 Sent: Wednesday, January 23, 2002 9:58 AM
 To: snort...@lists.sourceforge.net
 Subject: RE: [Snort-users] How to enable mail notication=
?

Here is a quick and really dirty script I run, you have</=
FONT>
 to setup snort to log via syslog and setup syslog to log=

 snort alerts to a seperate file .. Only good if you have=

 a small site really, and like I said, it's dirty:

#!/usr/bin/perl

use strict;

my $snort_log     =3D '/var/log/snort=
.log'; # location of snort.log generated
 by syslog
 my $snort_log_old =3D '/var/log/snort/old/snort'; # path=
to dir where to store
 old logs
 my $notify_log    =3D '/var/log/snort/not=
ify.log'; # path to log where to log
 notifications
 my $email       &nbsp=
; =3D 'your...@blah.com'; # guess what this is ;-)

open(SNORT_LOG, "$snort_log");

if (! <SNORT_LOG>) {
         exit();
         }

else {
         system("=
mail $email -s \"Snort alert\" < $snort_log");

open(NOTIFY, &=
quot;>>$notify_log");
         my $localtime=
=3D localtime();
         print NOTIFY =
"$localtime - Alert sent to $email\n";
         close NOTIFY;=

my $time =3D t=
ime();
         system("=
mv $snort_log $snort_log_old.$time");
         system("=
kill -SIGHUP \`cat /var/run/syslogd.pid\`");
         exit();
         }

-----Original Message-----
 From: snort-us...@lists.sourceforge.net
 [<A HREF=3D"mailto:snort-us...@lists.sourceforge.n=
et">mailto:snort-us...@lists.sourceforge.net</A>]On Behalf Of Erek Ad=
ams
 Sent: Wednesday, January 23, 2002 9:50 AM
 To: My Security
 Cc: snort...@lists.sourceforge.net
 Subject: Re: [Snort-users] How to enable mail notication=
?

On Wed, 23 Jan 2002, My Security wrote:

> I would like to enable sending mail if there is aler=
t
 > on my email address.
 >
 > How will I be able to configure this option to the<=
/FONT>
 > snort.conf.

You can't.

<A HREF=3D"http://www.snort.org/docs/faq.html#5.7" TARGET=
=3D"_blank">http://www.snort.org/docs/faq.html#5.7</A>

Also read the users manual from the Documentation page.&n=
bsp; The rest of the FAQ
 won't hurt either....

-----
 Erek Adams
 Nifty-Type-Guy
 TheAdamsFamily.Net

_______________________________________________
 Snort-users mailing list
 Snort...@lists.sourceforge.net
 Go to this URL to change user options or unsubscribe:</F=
ONT>
 <A HREF=3D"https://lists.sourceforge.net/lists/listinfo/=
snort-users" TARGET=3D"_blank">https://lists.sourceforge.net/lists/listinfo=
/snort-users</A>
 Snort-users list archive:
 <A HREF=3D"http://www.geocrawler.com/redir-sf.php3?list=
=3Dsnort-users" TARGET=3D"_blank">http://www.geocrawler.com/redir-sf.php3?l=
ist=3Dsnort-users</A>

_______________________________________________
 Snort-users mailing list
 Snort...@lists.sourceforge.net
 Go to this URL to change user options or unsubscribe:</F=
ONT>
 <A HREF=3D"https://lists.sourceforge.net/lists/listinfo/=
snort-users" TARGET=3D"_blank">https://lists.sourceforge.net/lists/listinfo=
/snort-users</A>
 Snort-users list archive:
 <A HREF=3D"http://www.geocrawler.com/redir-sf.php3?list=
=3Dsnort-users" TARGET=3D"_blank">http://www.geocrawler.com/redir-sf.php3?l=
ist=3Dsnort-users</A>

<CODE> 
 
CONFIDENTIALITY NOTICE: 
 
************************************************************************ 
 
The information contained in this ELECTRONIC MAIL transmission 
is confidential. It may also be privileged work product or proprietary 
information. This information is intended for the exclusive use of the 
addressee(s). If you are not the intended recipient, you are hereby 
notified that any use, disclosure, dissemination, distribution [other 
than to the addressee(s)], copying or taking of any action because 
of this information is strictly prohibited. 
 
************************************************************************ 
</CODE></BODY>
</HTML>
------_=_NextPart_001_01C1A42E.9BA44710--