> I am testing and configuring snort Version 1.6 on redhat Linux 6.2
> I would like to know how do we configure snort so that the alert will
> be sent to an email or sms. May I know the commands and where do I
> configure it.

	Just my $0.02, but are you sure you really want to do that?  Next
time a newbie script kiddie points his copy of Nessus (or any other
similarly noisy scanning tool) at one of your boxes (or you accidentally
put in a rule that catches a lot more than you wanted (as I've done to
myself more than once :) ), you're e-mail inbox will be thouroughly
mailbombed, and/or your SMS provider will get a kick out of the surcharges
you'll rack up from the message flood it will cause. (not to mention the
fact that your IDS box will get heavily loaded trying to generate all
those e-mail's/SMS messages).

	That said; I don't think there is a "built-in" way to make snort
do this (although I could be wrong; I've never went looking for a way to
do mail/sms paging, but I've read a lot of snort doc's and don't recall
seeing that mentioned :).

	What I would recommend is that you download the logcheck program
(http://www.psionic.com/abacus/logcheck/), compile the logtail program
that comes with it (or build the whole thing, and "cp logtail /usr/bin")
and then set up something like the following:

Cut/paste the following into a shell script (you'll set this to run as a
cronjob later).


# try to make some sembalance of a secure tmpfile
# (not perfect, but better than a glaring race condition)
if [ -f $tmpfile ] ; then
	until [ ! -f $tmpfile ] ; do
		if [ -f $tmpfile ] ; then
touch $tmpfile ; chmod 0600 $tmpfile

# check /var/log/snort/alert for anything new since last time we ran
logtail /var/log/snort/alert > $tmpfile

# If there was anything new since last time, e-mail it out
if ! test "find -size 0 $tmpfile" ; then
cat $tmpfile | mail -s "IDS Alerts" you at ...721...

# clean up after ourselves
rm -f $tmpfile


	You can substitute any SMS/Alpha paging/whatever you want where
I've got "mail -s" above, and I'd recommend setting the cronjob to
something reasonable like 5 minute interval's (avoids mail/SMS bombs
mentioned above, while still keeping you fairly reasonably up to date with
potential problems).

	Oh, and fair warning; I thought up the above on the fly, and I
haven't slept much recently; so consider the afforementioned
script/architecture "untested-but-ought-to-work-in-theory". :)  Cheers,
and best of luck.

