[Snort-users] alerting admin via email or sms

A.L.Lambert alambert at ...387...
Mon Oct 30 07:42:30 EST 2000


> I am testing and configuring snort Version 1.6 on redhat Linux 6.2
> 
> I would like to know how do we configure snort so that the alert will
> be sent to an email or sms. May I know the commands and where do I
> configure it.

	Just my $0.02, but are you sure you really want to do that?  Next
time a newbie script kiddie points his copy of Nessus (or any other
similarly noisy scanning tool) at one of your boxes (or you accidentally
put in a rule that catches a lot more than you wanted (as I've done to
myself more than once :) ), you're e-mail inbox will be thouroughly
mailbombed, and/or your SMS provider will get a kick out of the surcharges
you'll rack up from the message flood it will cause. (not to mention the
fact that your IDS box will get heavily loaded trying to generate all
those e-mail's/SMS messages).

	That said; I don't think there is a "built-in" way to make snort
do this (although I could be wrong; I've never went looking for a way to
do mail/sms paging, but I've read a lot of snort doc's and don't recall
seeing that mentioned :).

	What I would recommend is that you download the logcheck program
(http://www.psionic.com/abacus/logcheck/), compile the logtail program
that comes with it (or build the whole thing, and "cp logtail /usr/bin")
and then set up something like the following:

Cut/paste the following into a shell script (you'll set this to run as a
cronjob later).

#!/bin/sh

# try to make some sembalance of a secure tmpfile
# (not perfect, but better than a glaring race condition)
tmpfile=/tmp/$$.$RANDOM.$RANDOM.snortreport.tmp
if [ -f $tmpfile ] ; then
	until [ ! -f $tmpfile ] ; do
		if [ -f $tmpfile ] ; then
		tmpfile="EEEK.$$.$RANDOM.$tmpfile"
		fi
	done
touch $tmpfile ; chmod 0600 $tmpfile
fi

# check /var/log/snort/alert for anything new since last time we ran
logtail /var/log/snort/alert > $tmpfile

# If there was anything new since last time, e-mail it out
if ! test "find -size 0 $tmpfile" ; then
cat $tmpfile | mail -s "IDS Alerts" you at ...721...
fi

# clean up after ourselves
rm -f $tmpfile

# EOF


	You can substitute any SMS/Alpha paging/whatever you want where
I've got "mail -s" above, and I'd recommend setting the cronjob to
something reasonable like 5 minute interval's (avoids mail/SMS bombs
mentioned above, while still keeping you fairly reasonably up to date with
potential problems).

	Oh, and fair warning; I thought up the above on the fly, and I
haven't slept much recently; so consider the afforementioned
script/architecture "untested-but-ought-to-work-in-theory". :)  Cheers,
and best of luck.

-- 
A.L.Lambert
-----------------------------------------------------------------------------
"...(Government) doesn't aid progress, it hinders it. Government is politics, 
not progress. Government is bureaucracy, inefficiency, and brute force. It is
the least desirable, least effective and least likely to succeed means of 
getting anything accomplished." 
	-- Harry Browne
-----------------------------------------------------------------------------




More information about the Snort-users mailing list