[Snort-users] How can I setup Snort to e-mail alerts?

Mark W. Davis mwd at ...497...
Fri Jun 22 15:13:35 EDT 2001


I use logcheck to parse syslog files and e-mail the results. I also
hacked up a perl script that appends to the logcheck output the IP 
address, port, protocol, and number of attempts per IP address per 
port. Here is the relevant section of logcheck and the perl hack:

-------------------------------------------------------------------
...

# run parser on the report
if [ -f "$TMPDIR/checkreport.$$" ]; then
  /usr/local/hacks/myparse $TMPDIR/checkreport.$$ > /tmp/myparse.$$
  if [ -s /tmp/myparse.$$ ];then
    cat /tmp/myparse.$$ >> $TMPDIR/checkreport.$$
  fi
  rm -f /tmp/myparse.$$
fi

# If there are results, mail them to sysadmin

...
-------------------------------------------------------------------



#!/usr/bin/perl
# myparse - append to logcheck output the name lookup, tries, and protocols
#           of firewall violators.
#
# logcheck output has been modified to NOT LOG firewall DENYs in its
# Security Violations section. The DENYs are still logged in the
# Unusual Events section. This script parses the Unusual Events section
# of logchecks output (see the UNK hack).
#
# mwd - mwd at ...242...
#
#

use Socket;

@uniq = ();
%seen = ();
%services = ();
%hostnames = ();
sub getpname;
sub gethname;

%protocols = (
               0 => "IP",
               1 => "ICMP",
               2 => "IGMP",
               3 => "GGP",
               6 => "TCP",
               12 => "PUP",
               17 => "UDP"
              );

print "\n\n";

# added mysql check to restart snort if it cannot log
# to the database. I think that the problem is wait_timeouts from the
# db server.
#
$mydead = 0;
# Hack to just parse the Unusual events section
$UNK = 0;
while (<>) {
    # search for string 'MySQL server has gone away'
    if ($mydead == 0) {
        $mydead = 1 if (/server has gone away/);
    }

    # need to add other UNKS for web log, etc...
    $UNK = 1 if (/Unusual/);
    if ($UNK == 1) {
        # might want to add REJECT also
        if(/DENY/ || /ACCEPT/) { 
          if(/.*?PROTO=(\d+).*?(\d+\.\d+\.\d+\.\d+:\d{1,5})\s+(\d+\.\d+\.\d+\.\d+:\d{1,5}).*/) {
            my $temp = "$1|$2|$3";
            push(@uniq, $temp) unless $seen{$temp}++;
          }
        }
    }
}

# Restart snort daemon if database times out
if($mydead == 1) {
    system("/etc/rc.d/init.d/snortd restart >/dev/null");
}

if(keys(%seen)) {

  # open services file and snarf items
  open(WAK, "< /etc/services") or die "Can't open /etc/services for reading: $!\n";

  while(<WAK>) {
    if(!/^#|^\s/) {
      ($servname, $tmp_port, $description) = split;
      ($port, $protname) = split(/\//, $tmp_port);
     $services{$port} = $servname;
    }
  }

  foreach $key (keys %seen) {
    $value = $seen{$key};

    ($prt, $src, $dest) = split(/\|/, $key);
    ($saddr, $sport) = split(/:/, $src);
    ($daddr, $dport) = split(/:/, $dest);

    $shostname = gethname $saddr;
    $dhostname = gethname $daddr;
    $sportname = getpname $sport;
    $dportname = getpname $dport;
    $tol = $protocols{$prt};
    
    write;
    
  }

  print "\n\n\nAddress to Host Translations\n----------------------------\n";
  print "\n";
  foreach $key (keys %hostnames) {
      $value = $hostnames{$key};
      print "$key\t\t$value\n";
  }
}
exit;

sub gethname {
    my $host = $_[0];
    if(exists $hostnames{$host}) {
        $name = $hostnames{$host};
    } else {
        $name = gethostbyaddr(inet_aton($host), AF_INET) or $name = $host;
        $hostnames{$host} = $name unless $name eq $host;
    }
    return $name;
}

sub getpname {
    my $pnum = $_[0];
    if(exists $services{$pnum}) {
        $name = $services{$pnum};
    } else {
        $name = "UNPRIV";
    }
    return $name;
}

format STDOUT_TOP =
                                        
                                   Translation

Source address                       Port            Destination address  Port        Tries Protocol
-----------------------------------------------------------------------------------------------------
.
format =
@<<<<<<<<<<<<<<<<<<<<<< @<<<<<<<<<<<<<<< @<<<<<<<<<< @<<<<<<<<<<<<<<<<<<< @<<<<<<<<<< @|||| @||||
$shostname,             $saddr,          $sportname, $dhostname,          $dportname, $value, $tol
. 
-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Yom,
Francis
Sent: Thursday, June 21, 2001 7:22 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] How can I setup Snort to e-mail alerts?


Greetings,

I would like to know how, if it is possible, to set up snort to e-mail
alerts to an administrator.  

Thanks in advance,
Francis

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list





More information about the Snort-users mailing list