[Snort-users] E-mail alerting

M Shirk shirkdog_linux at ...125...
Mon Sep 13 10:14:01 EDT 2004


Swatch creates files for the user who is running swatch. So if you start 
swatch as root, it checks /root/.swatchrc for your configuration and creates 
the .script files.

Someone else could verify this but I think it compiles the perl script with 
your configuration options in the .swatchrc file.

The Global symbol error is a perl error, check your .swatchrc file and look 
for @page55, and check the actual Swatch script for this string. It may be a 
here document or some formatting that is messed up and being interpreted as 
code.

Shirkdog
http://www.shirkdog.us


>From: "Andy" <andy at ...12349...>
>To: "prabu" <prabu333 at ...8908...>,<snort-users at lists.sourceforge.net>
>Subject: RE: [Snort-users] E-mail alerting
>Date: Sun, 12 Sep 2004 19:04:34 -0500
>
>Hi Prabu,
>
>Excellent post, it prompted me to check out swatch. I had to install the
>CPAN mods and the only thing different was that I had to install
>Time-HiRes-1.63 instead of
>Time-HiRes-1.59
>
>They all installed ok.
>
>I'm trying to get swatch to read the config file. I followed the 
>directions,
>but I'm getting an error:
>
>[root at ...12350... etc]# swatch --config-file=/etc/swatchrc.txt
>Global symbol "@page55" requires explicit package name at
>/root/.swatch_script.3238 line 125.
>Execution of /root/.swatch_script.3238 aborted due to compilation errors.
>
>I put the config file in /etc and copied it exactly from below, except of
>course I inserted my own email address.
>
>Do you know what this error means?
>
>What is the meaning of the line: /root/.swatch_script.3238 line 125.
>(specifically the /root/ part.)
>
>Thanks,
>
>Drew
>   -----Original Message-----
>   From: snort-users-admin at lists.sourceforge.net
>[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of prabu
>   Sent: Saturday, September 04, 2004 12:30 AM
>   To: snort-users at lists.sourceforge.net; Carlos M Ospina
>   Subject: Re: [Snort-users] E-mail alerting
>
>
>   Hello Carlos,
>               You can use Swatch to get emails alerts from Snort.
>
>    Installing Swatch,is just a child's play,very easier.I have given below
>the necessary steps to configure Swatch.
>   Hope,this will be useful.If you have,any queries,you can write to
>me.............................
>
>
>   Prabu.S
>
>
>
>
>############################################################################
>############################################
>
>
>
>   CONFIGURATION STEPS TO SEND SNORT ALERTS AS E-MAIL:
>
>
>
>   To receives Snort alerts as E-mail, one can follow the following steps:
>
>                     Swatch is the widely used open source tool to enable E
>mail alerts in Snort. Swatch is a utility that monitors system log files,
>filters out
>   unwanted data and takes specified actions (i.e., sending email, 
>executing
>a script, etc.) based upon what it finds in the log files. So I have used
>   Swatch to configure snort to send the alerts as E-mail.
>
>   NOTE:
>     Here, it is considered that snort have been already installed on the
>host, in which this is to be tested.
>
>   [a] Swatch installation:
>
>   Download the swatch package, from
>http://sourceforge.net/project/showfiles.php?group_id=68627
>   To install, simply issue the following commands:
>
>                  perl Makefile.PL
>                  make
>                  make test
>                  make install
>                 make realclean
>
>   Swatch installs just like a CPAN module. If you are not familiar with 
>this
>process then you may want to read about it by issuing the command:
>
>   man ExtUtils::MakeMaker
>
>   Use the perldoc command if your man cannot find the document.
>
>   If you see messages like these:
>
>   Warning: prerequisite Date::Calc 0 not found at (eval 1) line 219.
>   Warning: prerequisite Date::Parse 0 not found at (eval 1) line 219.
>   Warning: prerequisite File::Tail 0 not found at (eval 1) line 219.
>   Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) line 219.
>
>
>   Then you need to install the CPAN module(s) that it doesn't find, before
>you can use swatch.
>   You can find these modules at http://search.cpan.org/.
>
>   One must download following perl modules from the site search.cpan.org
>
>               1.Bit-Vector-6.3
>               2.Date-Calc-5.3
>               3.DateManip-5.42a
>               4.File-Tail-0.98
>               5.Time-HiRes-1.59
>               6.TimeDate-1.16
>
>   To install these perl modules,one can follow the same steps as said per
>Swatch,
>   They are,
>
>                perl Makefile.PL
>                make
>                make test
>                make install
>                make realclean
>
>   The Swatch binary will be installed at the /opt/perl/bin/ directory
>
>   Then create the swatch configuratiobn file.
>
>   cat /etc/swatchrc.txt
>
>   ==========================================================
>   # Swatch configuration file
>
>          #
>          #
>          # swatch -c /etc/swatchrc -t /var/log/snort/alert
>          #
>          ###   Snort Alerts
>          ##  Watch for entries containing the word 'Priority'  in the 
>snort
>alert file.
>          ##  Display it in green on the screen
>          ##  Mail alert to alerts at ...10224... with subject of the email
>          ##   being "----Snort IDS Alert----"
>          ##  Log in file /var/log/IDS-scans
>
>
>          watchfor /Priority/
>          echo green_h
>          mail addresses=youruseraccount at ...12390... ,subject=--- Snort
>IDS Alert ---
>          exec echo $0 >> /var/log/IDS-scans
>
>    ============================================================
>
>   THE FINAL STEPS:
>
>   [a] Start Snort in NIDS mode:
>
>     #./snort -c /snort/iexpress/snort/etc/snort.conf -l /var/log/snort.
>
>   [b] Start swatch:
>
>     cd /opt/perl/bin
>     #./swatch --config-file=/etc/swatchrc.txt
>
>   [c] Using Outlook Express:
>
>      configure the User's POP3 account and you can recieve the emails send
>by Swatch for each alerts based on the patter
>      matching the "watchfor"
>
>
>
>
>############################################################################
>##############################
>
>
>   Cheers,
>   Prabu.S
>
>
>
>
>
>     ----- Original Message -----
>     From: Carlos M Ospina
>     To: snort-users at lists.sourceforge.net
>     Sent: Friday, September 03, 2004 7:08 PM
>     Subject: [Snort-users] E-mail alerting
>
>
>
>     Is there anyway to configure, with acid, automatic alerts by e-mail? 
>is
>ther eany manual about that?
>
>     Thanks in advance.
>
>
>     ---
>     Outgoing mail is certified Virus Free.
>     Checked by AVG anti-virus system (http://www.grisoft.com).
>     Version: 6.0.751 / Virus Database: 502 - Release Date: 9/2/2004

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/





More information about the Snort-users mailing list