[Snort-users] E-mail alerting

Andy andy at ...12349...
Sun Sep 12 17:06:18 EDT 2004


Hi Prabu,

Excellent post, it prompted me to check out swatch. I had to install the
CPAN mods and the only thing different was that I had to install
Time-HiRes-1.63 instead of
Time-HiRes-1.59

They all installed ok.

I'm trying to get swatch to read the config file. I followed the directions,
but I'm getting an error:

[root at ...12350... etc]# swatch --config-file=/etc/swatchrc.txt
Global symbol "@page55" requires explicit package name at
/root/.swatch_script.3238 line 125.
Execution of /root/.swatch_script.3238 aborted due to compilation errors.

I put the config file in /etc and copied it exactly from below, except of
course I inserted my own email address.

Do you know what this error means?

What is the meaning of the line: /root/.swatch_script.3238 line 125.
(specifically the /root/ part.)

Thanks,

Drew
  -----Original Message-----
  From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of prabu
  Sent: Saturday, September 04, 2004 12:30 AM
  To: snort-users at lists.sourceforge.net; Carlos M Ospina
  Subject: Re: [Snort-users] E-mail alerting


  Hello Carlos,
              You can use Swatch to get emails alerts from Snort.

   Installing Swatch,is just a child's play,very easier.I have given below
the necessary steps to configure Swatch.
  Hope,this will be useful.If you have,any queries,you can write to
me.............................


  Prabu.S




############################################################################
############################################



  CONFIGURATION STEPS TO SEND SNORT ALERTS AS E-MAIL:



  To receives Snort alerts as E-mail, one can follow the following steps:

                    Swatch is the widely used open source tool to enable E
mail alerts in Snort. Swatch is a utility that monitors system log files,
filters out
  unwanted data and takes specified actions (i.e., sending email, executing
a script, etc.) based upon what it finds in the log files. So I have used
  Swatch to configure snort to send the alerts as E-mail.

  NOTE:
    Here, it is considered that snort have been already installed on the
host, in which this is to be tested.

  [a] Swatch installation:

  Download the swatch package, from
http://sourceforge.net/project/showfiles.php?group_id=68627
  To install, simply issue the following commands:

                 perl Makefile.PL
                 make
                 make test
                 make install
                make realclean

  Swatch installs just like a CPAN module. If you are not familiar with this
process then you may want to read about it by issuing the command:

  man ExtUtils::MakeMaker

  Use the perldoc command if your man cannot find the document.

  If you see messages like these:

  Warning: prerequisite Date::Calc 0 not found at (eval 1) line 219.
  Warning: prerequisite Date::Parse 0 not found at (eval 1) line 219.
  Warning: prerequisite File::Tail 0 not found at (eval 1) line 219.
  Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) line 219.


  Then you need to install the CPAN module(s) that it doesn't find, before
you can use swatch.
  You can find these modules at http://search.cpan.org/.

  One must download following perl modules from the site search.cpan.org

              1.Bit-Vector-6.3
              2.Date-Calc-5.3
              3.DateManip-5.42a
              4.File-Tail-0.98
              5.Time-HiRes-1.59
              6.TimeDate-1.16

  To install these perl modules,one can follow the same steps as said per
Swatch,
  They are,

               perl Makefile.PL
               make
               make test
               make install
               make realclean

  The Swatch binary will be installed at the /opt/perl/bin/ directory

  Then create the swatch configuratiobn file.

  cat /etc/swatchrc.txt

  ==========================================================
  # Swatch configuration file

         #
         #
         # swatch -c /etc/swatchrc -t /var/log/snort/alert
         #
         ###   Snort Alerts
         ##  Watch for entries containing the word 'Priority'  in the snort
alert file.
         ##  Display it in green on the screen
         ##  Mail alert to alerts at ...10224... with subject of the email
         ##   being "----Snort IDS Alert----"
         ##  Log in file /var/log/IDS-scans


         watchfor /Priority/
         echo green_h
         mail addresses=youruseraccount at ...12390... ,subject=--- Snort
IDS Alert ---
         exec echo $0 >> /var/log/IDS-scans

   ============================================================

  THE FINAL STEPS:

  [a] Start Snort in NIDS mode:

    #./snort -c /snort/iexpress/snort/etc/snort.conf -l /var/log/snort.

  [b] Start swatch:

    cd /opt/perl/bin
    #./swatch --config-file=/etc/swatchrc.txt

  [c] Using Outlook Express:

     configure the User's POP3 account and you can recieve the emails send
by Swatch for each alerts based on the patter
     matching the "watchfor"




############################################################################
##############################


  Cheers,
  Prabu.S





    ----- Original Message -----
    From: Carlos M Ospina
    To: snort-users at lists.sourceforge.net
    Sent: Friday, September 03, 2004 7:08 PM
    Subject: [Snort-users] E-mail alerting



    Is there anyway to configure, with acid, automatic alerts by e-mail? is
ther eany manual about that?

    Thanks in advance.


    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.751 / Virus Database: 502 - Release Date: 9/2/2004
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040912/2d5188fd/attachment.html>


More information about the Snort-users mailing list