[Snort-users] Sending Alert Via E-mail

niceshorts at ...131... niceshorts at ...131...
Mon Nov 5 16:04:05 EST 2001


Hi,

I have a batch file I run from Task Scheduler that uses win32
ports of gnu tools (wc, find, date, gzip, sleep, etc) and the
command line blat to send mail -- saves me the trouble of
installing perl on every box.

Here's the gist of it (modeled after Psionic.com's logcheck)

logcheck.bat
============
@echo off
@if not {%ECHO%} == {} echo %ECHO%

pushd G:\var\log\snort & setlocal

    set PATH=G:\gnutools;G:\snort;%PATH%
    for /f %%a in ('hostname') do set HOST=%%a
    set SENDMAILTO=notify at ...4008...
    set SNORTDIR=G:\var\log\snort
    set SNORTLOG=%SNORTDIR%\alert.ids
    set SNORTOFFSET=%SNORTDIR%\alert.offset
    set TMPDIR=G:\var\state\logcheck
    set TMPLOG=%TMPDIR%\check.log

:getdate
    :: date /t can also be used in similar fashion
    for /f %%a in ('gnudate +%%Y%%m%%d') do set @DATE=%%a
    (
      set DATE=%@DATE%
      set YY=%@DATE:~0,4%
      set MM=%@DATE:~4,2%
      set DD=%@DATE:~6,2%
    )

:main
    if exist %TMPLOG% del %TMPLOG%
    if not exist %SNORTOFFSET% echo 0 > %SNORTOFFSET%
    for /f %%a in (%SNORTOFFSET%) do set OLDOFFSET=%%a
    for /f %%a in ('wc -l ^< %SNORTLOG%') do (
        echo %%a > %SNORTOFFSET% && set NEWOFFSET=%%a
    )
    if %OLDOFFSET% equ %NEWOFFSET% goto next
    tail +%OLDOFFSET% %SNORTLOG% > %TMPLOG% && call :mail

:next
    if /i {%1} == {rotate} goto rotate
goto eof

:rotate
    if not exist %SNORTDIR%\archive mkdir %SNORTDIR%\archive
    net stop snort && sleep 5

    :: Need a few of seconds for windoze to release
    :: snort file handles after the service is stopped

    move alert.ids alert-%DATE%.ids
    del alert.offset
    net start snort
    gzip -9 alert-%DATE%.ids

    :: The next gnufind lines should be one line.
    :: Broken for mailer clarity.

    gnufind . -maxdepth 1 -type f -name snort-*.log
        ! -name snort-%MM%%DD%@*.log | xargs gzip -9

    :: I.e., find snort.log and gzip them, except current
    :: snort.log which is in use and can't be gzipped

    :: Move gzipped logs to archive subdirectory
    move *.gz .\archive

    :: Delete logs older than 90 days
    gnufind .\archive  -type f -mtime +90 | xargs rm -f
goto eof

:mail
blat %TMPLOG% -t %SENDMAILTO% -s "%HOST%: %MM%/%DD%/%YY% IDS LOGCHECK"

:eof

endlocal & popd
====================end batch file=================

HTH and HAND,
-anthony

On Mon, Nov 05, 2001, Kresna Prawira wrote:

> how about for windows NT machines? 
> 
> -----Original Message-----
> From: Jason Haar [mailto:Jason.Haar at ...294...]
> Sent: Monday, November 05, 2001 2:45 PM
> To: 'Snort-users at lists.sourceforge.net'
> Subject: Re: [Snort-users] Sending Alert Via E-mail
> 
> 
> On Mon, Nov 05, 2001 at 12:21:09PM +0800, Fadzly Zainuddin wrote:
> > How can I send any attempt via e-mail. I'm running snork  on Redhat 7.0.
> 
> Swatch is your friend:
> 
> A /etc/swatchrc rule like:
> 
> watchfor / snort:.*TELNET root login/
>  echo
>  exec /usr/local/bin/swatchlogger -snort security at ...294... 'IDS Event'
> $*
> 
> ... would trigger "swatchlogger" whenever someone logged into a root account
> via telnet.
> 
> What "swatchlogger" is is of course your problem :-)
> 
> -- 
> Cheers
> 
> Jason Haar
> 
> Information Security Manager
> Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list