[Snort-users] snort output

Matt Kettler mkettler at ...4108...
Wed Jul 23 10:54:13 EDT 2003

At 10:32 AM 7/23/2003 -0600, Slighter, Tim wrote:
>How difficult would it be to configure an output for "sendmail" or "mail"
>since syslog, unified, tcpdump and others are already in place?  has anyone
>attempted this and if so would they have some recommendations on how anyone
>could work on this project?

It's in the FAQ. #5.9.

In short, no snort can't do it directly and you don't want it to, but you 
can use a secondary tool to do this.

5.9 How do I get snort to e-mail me alerts?

You can't. Such a process would slow Snort down too much to make it of any use.
Instead, log to syslog and use swatch or logcheck to parse over the plaintext

With the logsurfer docs, this might get you on the road to doing something with
snort & logsurfer:


JASON HAAR provided an example Swatch (3.1beta) config that emails alerts:


Here are some docs on swatch:

   * http://www.oit.ucsb.edu/~eta/swatch/
   * http://www.stanford.edu/~atkins/swatch
   * http://rr.sans.org/sysadmin/swatch.php
   * http://www.enteract.com/~lspitz/swatch.html
   * http://www.cert.org/security-improvement/implementations/i042.01.html

IDS Center (see FAQ 5) on Win32 will also mail alerts.

More information about the Snort-users mailing list