[Snort-users] RE: Email Plugin

___cliff rayman___ cliff at ...1366...
Wed Mar 14 14:16:57 EST 2001


swatch is a SimpleWATCHer.  it is simply watching my
/var/log/snort/alerts file for any alerts and e-mailing me when
they come in.  i wanted to see the full multiline alerts so i
had to modify File::Tail in order to do so.  i am working with
the developer to incorporate changes into the next release.

in my snort.conf file my output is:
--------snip--------
output alert_full: /var/log/snort/alert
--------snip--------

my command line looks like this:
--------snip--------
nohup swatch --config-file=/usr/local/etc/swatch_snort.conf --input-record-separator="\n\n" --tail-file=/var/log/snort/alert --daemon >/root/var/swatch_snort.otp 2>&1 &
--------snip--------

my /usr/local/etc/swatch_snort.conf file looks like this:
--------snip--------
# swatch_snort.conf
# watchdog for alert snort logs
############################
# 000, 02-19-01, , cliff, initial coding
############################
# run as:
# swatch --config-file=/usr/local/etc/swatch_snort.conf --input-record-separator="/\n\n/" --tail-file=/var/log/snort/alert
watchfor /.*/
mail addresses=security\@genwax.com,subject=swatch alert
--------snip--------
if you are happy with regular alerts, don't use the alert full and lose the:
--input-record-separtor="/n/n"

on the swatch command line.  otherwise, i can send u my File::Tail which should be
considered beta code until it is well tested.

hth,
cliff


--
___cliff rayman___cliff at ...1367...://www.genwax.com/

Lee Leahu wrote:

> I had a couple questions about the email plugin.
>
> cliff rayman says he's using swatch for an email plugin.
>
> Is this a plugin to snort and another application that snorts sends the
> alerts to for sending via email?
> Sorry, I am not very familiar with snort, but it sounds very interesting.
>







More information about the Snort-users mailing list