[Snort-users] snort email alert
mkettler at ...4108...
Thu May 23 08:34:06 EDT 2002
Well, I admit up front that I do not understand what exactly you are
looking for, since I do not understand your question very well. So what
follows is merely an educated guess of what might answer your question.
At any rate, swatch, logwatch and similar tools are "log watchers". They
watch a logfile on disk, periodically scanning the latest information in
it, and triggering various programs to be run if certain text strings
appear in the log.
Swatch can watch a syslog file, or any other logfile you want, like the
text mode snort alerts file.
So something along the lines of "swatch -t
/home/snort/var/log/snort/alert" is probably a good start, depending on
where you run snort from and where your alert file is. (yes I am paranoid,
yes I do chroot my snort daemon, no that's not where I chroot it to)
For your swatch configuration you might want something as simple as this:
/WEB-IIS cmd.exe access/ exec= "echo "IIS cmd.exe" | mail
me at ...5921..."
You can get a lot more elaborate, but I personally don't use this kind of
setup, so if you want something more detailed, you might want to ask a more
specific question to the list and lets someone else answer it.
At 10:20 AM 5/23/2002 -0400, Math wrote:
>I've not find good clear explain to install a mail alert if my computer is
>scan using snort. I got swatch and i think i can configure it in my syslog
>to alert me. Anybody can refer my a good clear site or explain me how i
>can configure it to get different kind of email alert?
More information about the Snort-users