How do I enable email notifications on specific SNORT signatures?

[John Smith]

There are just a few signatures for which I want to receive email
notifications, but ignore how to do it

[Doug Burks]

Hi John,

There should be an example of this in:

/etc/nsm/securityonion/sguild.email

For more information, please see:

http://code.google.com/p/security-onion/wiki/Email

Hope that helps!

Thanks,

Doug

On Wednesday, April 11, 2012, John Smith wrote:

There are just a few signatures for which I want to receive email
notifications, but ignore how to do it

--
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012

[John Smith]

I looked into the classification.config and saw this:

 

config classification: shellcode-detect,Executable code was detected,1

 

so that makes "shellcode-detect" a priority 1 and with sguild.email i can generate an email.

 

In my scenarion I just need to classify my signatures with priority 10 and set sguild.email only when priority=10?

 

Also where can I get the shortname and shortdescription of each signature?

 

Thanks a lot for have dedicated your time into this, I come from a VoIP background but i think I am getting hook into security...

[Doug Burks]

Hi John,

You can configure email based on classification or priority, but note
that you can also configure email based on the SID of an individual
signature. Here's the relevant excerpt from the end of
/etc/nsm/securityonion/sguild.email:

# EMAIL_ENABLE_SIDS: A list of snort IDS (sids) that you want to
enable, but are NOT
# included in EMAIL_CLASSES. NOTE: This overrides EMAIL_DISABLE_SIDS.
# 0=none
set EMAIL_ENABLE_SIDS "1000003"

You can add in the SID from any downloaded rule
(/etc/nsm/rules/downloaded.rules) or any rules you have manually added
to /etc/nsm/rules/local.rules.

Hope that helps!

Thanks,
Doug