[Snort-users] swatch/snort config

Edwin Pua edwin1118 at ...125...
Wed Jan 23 02:45:22 EST 2002


Hi Sandro,

  i have installed the swatch rpm package and other perl dependent packages 
with no error. i've made some changes in the /etc/swatch/swatch.conf based 
on your guideline.

  but i got an error mesg when i tried to run /usr/bin/swatch.

       swatch: cannot read /root/.swatchrc
       swatch: using default configuration of:
                  watchfor = /.*/
                  echo = random

  btw, what is the purpose of swatch_old2newrc? is this the program that 
runs the swatch.conf? sorry for this coz i am puzzled with the error mesg i 
got.

   thanx for ur help.

rgds,
Edwin









>From: <sandro.poppi at ...3316...>
>To: <edwin1118 at ...125...>
>CC: <snort-users at lists.sourceforge.net>
>Subject: AW: AW: (Snort-users) AW: (Snort-users) Newbie Question..
>Date: Tue, 22 Jan 2002 12:15:00 +0100
>
>Edwin,
>
>as you can see in the original snort-check script it's intended to be run 
>from
>within swatch. To send the actual /var/log/alert you'll have to use 
>cat/tail or
>such (you surely don't want to send the whole file ech time) instead of 
>echo
>"$*" | mail ...
>
>For exactly that reason I use swatch to send me alerts nearly in realtime 
>(every
>minute). snort-check won't send any alerts without being triggered anyhow,
>that's were swatch comes into sight (see Configuring swatch in my HOWTO).
>
>If you do see alerts but get no email (and you are using swatch or 
>something
>else to trigger snort-check) take a look at your maillog or try 
>root at ...274...
>as a recipient.
>
>HTH,
>Sandro
>
> >
> > Hi Sandro,
> >
> >    So far there's no error in the program after changing it
> > #!/bin/bash and
> > upon compiling it.
> >
> >    But it doesnt send the actual alert file. I mean, i did a
> > simulation test
> > using nmap to alert my snort box. But the snort-check program
> > didn't send
> > any email, though i've seen in the snort box using "tail -f
> > /var/log/snort/alert" file that there's some port scanning going on.
> >
> >    What will i edit or add in the snort-check program to
> > email the actual
> > alert files of snort in real time once attacks have been
> > detected by the
> > snort?
> >
> >    thanx for ur help.
> >
> >
> >
> >
> > regards,
> > Edwin
> >
> >
> >
> >
> > >From: <sandro.poppi at ...3316...>
> > >To: <edwin1118 at ...125...>
> > >CC: <snort-users at lists.sourceforge.net>
> > >Subject: AW: (Snort-users) AW: (Snort-users) Newbie Question..
> > >Date: Mon, 21 Jan 2002 07:20:00 +0100
> > >I checked the modified program on RH 7.0 and 7.2 and it
> > worked without
> > >error.
> > >The only thing I did was adding a # before the line
> > >"if a recipient file exists"
> > >
> > >Could you please be more specific if the error still exists?
> > Please include
> > >the
> > >error message and line number. You may take a look on
> > /bin/sh: If it does
> > >not
> > >point to /bin/bash then this may be the error. Replace #!/bin/sh with
> > >#!/bin/bash. I will fix this in the next version to be more specific.
> > >
> > >Ciao,
> > >Sandro
> > >
> >
> >
> >
> >
> > _________________________________________________________________
> > Send and receive Hotmail on your mobile device: http://mobile.msn.com
> >
> >
> >
>




_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx





More information about the Snort-users mailing list