[Snort-users] emailing alerts

Edin Dizdarevic edin.dizdarevic at ...7509...
Wed Apr 21 10:49:08 EDT 2004


Hi,

try logsurfer, it's really good.

Create a non-privileged user logsurfer, and a directory
/var/log/logsurfer and /etc/logsurfer. Put this in the file
/etc/logsurfer/snort.conf:

# Report priority 1 alerts
'\[Classification: (.*)\] \[Priority: 1\]' - - - 0 open
	(.*) - 3 3 - pipe
	"/bin/mail -s \"\[SNORT SENSOR 1\] ALERT: Snort detected \
	a Priority 1 security incident\" admin at ...7717..."
#
# Ignore the rest
'(.*)' - - - 0 ignore

This will collect 3 following lines in a container and after Prio 1
alert has occured and mail it to the address admin at ...7717... after 3
seconds.

Start logsurfer like this:

su -c "/usr/local/bin/logsurfer -c /etc/logsurfer/snort.conf \
-l `wc -l /var/log/snort/alert | awk '{print $1}'` \
-d /var/log/logsurfer/ls_snort.dump -p /var/run/ls_snort.pid \
-f  /var/log/snort/alert &" logsurfer

The stuff about "`wc -l ..." is needed to start logsurfer from the last
line of the file, otherwise you need a really fast Mailserver ;) . Try
Postfix, it can handle over 20000 emails in a few minutes, tested by me 
and logsurfer... ;)

A report mail should then look like this:

[Classification: Web Application Attack] [Priority: 1]
04/19/04-14:38:32.007925 0:E0:18:FE:17:D9 -> 0:2:B3:95:39:FB type:0x800 
len:0x5EA
172.16.0.1:48375 -> 10.0.0.10:80 TCP TTL:64 TOS:0x0 ID:37706 IpLen:20 
DgmLen:1500 DF
***A**** Seq: 0x51314FFA  Ack: 0xBD854F62  Win: 0x16D0  TcpLen: 20

Regards,
Edin

Scott Skrogstad schrieb:

> Is there anyway I can get snort to alert me via email when 
> there is a problem ?  I have a couple of remote sites that 
> I am trying to monitor but would like an email if there is 
> a problem...
> 
> Scott
> 
> 

-- 
Edin Dizdarevic




More information about the Snort-users mailing list