[Snort-users] snort email alert

Matt Kettler mkettler at ...4108...
Thu May 23 08:34:06 EDT 2002

Well, I admit up front that I do not understand what exactly you are 
looking for, since I do not understand your question very well. So what 
follows is merely an educated guess of what might answer your question.

At any rate, swatch, logwatch and similar tools are "log watchers". They 
watch a logfile on disk, periodically scanning the latest information in 
it, and triggering various programs to be run if certain text strings 
appear in the log.

Swatch can watch a syslog file, or any other logfile you want, like the 
text mode snort alerts file.

So something along the lines of "swatch -t 
/home/snort/var/log/snort/alert"  is probably a good start, depending on 
where you run snort from and where your alert file is. (yes I am paranoid, 
yes I do chroot my snort daemon, no that's not where I chroot it to)

For your swatch configuration you might want something as simple as this:

/WEB-IIS cmd.exe access/                exec= "echo "IIS cmd.exe" | mail 
me at ...5921..."

You can get a lot more elaborate, but I personally don't use this kind of 
setup, so if you want something more detailed, you might want to ask a more 
specific question to the list and lets someone else answer it.

At 10:20 AM 5/23/2002 -0400, Math wrote:
>I've not find good clear explain to install a mail alert if my computer is 
>scan using snort. I got swatch and i think i can configure it in my syslog 
>to alert me. Anybody can refer my a good clear site or explain me how i 
>can configure it to get different kind of email alert?
>ulaval student

More information about the Snort-users mailing list