[Snort-users] E-mail alerting

Jason security at ...5028...
Sat Sep 18 20:51:17 EDT 2004


I think the problem is that you need to escape the @ symbol, perl is 
trying to reference the array page55 which does not exist. You should 
make @page55 look like \@page55.


Andy wrote:

> Hi Prabu,
> 
> I cannot find this file. Locate does not find any files named
> swatch_script.*
> 
> Snort and Swatch are installed on the "tunes.page55.com" server,  and the
> mailserver I want alerts to be sent to is another server called "page55.com"
> 
> Do I need a mail client running on Tunes? Sendmail is there by default. I'm
> not sure how it works, but I'm guessing that Snort would use the default
> email client to send an email...
> 
> Thankyou for your reply, I wish I could get you the script info... I will
> continue hunting .....
> 
> Andy
> 
> 
> 
>  -----Original Message-----
> From: prabu [mailto:prabu333 at ...8908...]
> Sent: Tuesday, September 14, 2004 1:08 AM
> To: Andy; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] E-mail alerting
> 
> 
>   Hi Andy,
>         I was busy with my work for past three days,I didn't even check
> snort list.Just now,I checked my mails,saw ur request.Well,I could not get
> into a conclusion,what might be the error.Send the line in ur
> script(ie,/root/.swatch_script.3238 ),where the error points out.I think,the
> mail-id was the problem
>   for the error.
> 
>   First,R u running snort on "page555" server or "tunes" server.What is the
> hostname of the machine,where u have installed Snort and Swatch.
>   See,u can send alerts to the useraccounts on the machine,where u have
> installed all thoses stuffs.So change the email-id in the configuration
> file.
>   This would help U,I hope.
> 
>   NOTE:
>   /root/.swatch_script.3238  ----.this is the script that is generated
> automatically,while running swatch.
> 
> 
> 
>   Cheers,
>   Prabu.S
>     ----- Original Message -----
>     From: Andy
>     To: prabu ; snort-users at lists.sourceforge.net
>     Sent: Monday, September 13, 2004 5:34 AM
>     Subject: RE: [Snort-users] E-mail alerting
> 
> 
>     Hi Prabu,
> 
>     Excellent post, it prompted me to check out swatch. I had to install the
> CPAN mods and the only thing different was that I had to install
> Time-HiRes-1.63 instead of
>     Time-HiRes-1.59
> 
>     They all installed ok.
> 
>     I'm trying to get swatch to read the config file. I followed the
> directions, but I'm getting an error:
> 
>     [root at ...12350... etc]# swatch --config-file=/etc/swatchrc.txt
>     Global symbol "@page55" requires explicit package name at
> /root/.swatch_script.3238 line 125.
>     Execution of /root/.swatch_script.3238 aborted due to compilation
> errors.
> 
>     I put the config file in /etc and copied it exactly from below, except
> of course I inserted my own email address.
> 
>     Do you know what this error means?
> 
>     What is the meaning of the line: /root/.swatch_script.3238 line 125.
> (specifically the /root/ part.)
> 
>     Thanks,
> 
>     Drew
>       -----Original Message-----
>       From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of prabu
>       Sent: Saturday, September 04, 2004 12:30 AM
>       To: snort-users at lists.sourceforge.net; Carlos M Ospina
>       Subject: Re: [Snort-users] E-mail alerting
> 
> 
>       Hello Carlos,
>                   You can use Swatch to get emails alerts from Snort.
> 
>        Installing Swatch,is just a child's play,very easier.I have given
> below the necessary steps to configure Swatch.
>       Hope,this will be useful.If you have,any queries,you can write to
> me.............................
> 
> 
>       Prabu.S
> 
> 
> 
> 
> ############################################################################
> ############################################
> 
> 
> 
>       CONFIGURATION STEPS TO SEND SNORT ALERTS AS E-MAIL:
> 
> 
> 
>       To receives Snort alerts as E-mail, one can follow the following
> steps:
> 
>                         Swatch is the widely used open source tool to enable
> E mail alerts in Snort. Swatch is a utility that monitors system log files,
> filters out
>       unwanted data and takes specified actions (i.e., sending email,
> executing a script, etc.) based upon what it finds in the log files. So I
> have used
>       Swatch to configure snort to send the alerts as E-mail.
> 
>       NOTE:
>         Here, it is considered that snort have been already installed on the
> host, in which this is to be tested.
> 
>       [a] Swatch installation:
> 
>       Download the swatch package, from
> http://sourceforge.net/project/showfiles.php?group_id=68627
>       To install, simply issue the following commands:
> 
>                      perl Makefile.PL
>                      make
>                      make test
>                      make install
>                     make realclean
> 
>       Swatch installs just like a CPAN module. If you are not familiar with
> this process then you may want to read about it by issuing the command:
> 
>       man ExtUtils::MakeMaker
> 
>       Use the perldoc command if your man cannot find the document.
> 
>       If you see messages like these:
> 
>       Warning: prerequisite Date::Calc 0 not found at (eval 1) line 219.
>       Warning: prerequisite Date::Parse 0 not found at (eval 1) line 219.
>       Warning: prerequisite File::Tail 0 not found at (eval 1) line 219.
>       Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) line 219.
> 
> 
>       Then you need to install the CPAN module(s) that it doesn't find,
> before you can use swatch.
>       You can find these modules at http://search.cpan.org/.
> 
>       One must download following perl modules from the site search.cpan.org
> 
>                   1.Bit-Vector-6.3
>                   2.Date-Calc-5.3
>                   3.DateManip-5.42a
>                   4.File-Tail-0.98
>                   5.Time-HiRes-1.59
>                   6.TimeDate-1.16
> 
>       To install these perl modules,one can follow the same steps as said
> per Swatch,
>       They are,
> 
>                    perl Makefile.PL
>                    make
>                    make test
>                    make install
>                    make realclean
> 
>       The Swatch binary will be installed at the /opt/perl/bin/ directory
> 
>       Then create the swatch configuratiobn file.
> 
>       cat /etc/swatchrc.txt
> 
>       ==========================================================
>       # Swatch configuration file
> 
>              #
>              #
>              # swatch -c /etc/swatchrc -t /var/log/snort/alert
>              #
>              ###   Snort Alerts
>              ##  Watch for entries containing the word 'Priority'  in the
> snort alert file.
>              ##  Display it in green on the screen
>              ##  Mail alert to alerts at ...10224... with subject of the
> email
>              ##   being "----Snort IDS Alert----"
>              ##  Log in file /var/log/IDS-scans
> 
> 
>              watchfor /Priority/
>              echo green_h
>              mail addresses=youruseraccount at ...12390... ,subject=---
> Snort IDS Alert ---
>              exec echo $0 >> /var/log/IDS-scans
> 
>        ============================================================
> 
>       THE FINAL STEPS:
> 
>       [a] Start Snort in NIDS mode:
> 
>         #./snort -c /snort/iexpress/snort/etc/snort.conf -l /var/log/snort.
> 
>       [b] Start swatch:
> 
>         cd /opt/perl/bin
>         #./swatch --config-file=/etc/swatchrc.txt
> 
>       [c] Using Outlook Express:
> 
>          configure the User's POP3 account and you can recieve the emails
> send by Swatch for each alerts based on the patter
>          matching the "watchfor"
> 
> 
> 
> 
> ############################################################################
> ##############################
> 
> 
>       Cheers,
>       Prabu.S
> 
> 
> 
> 
> 
>         ----- Original Message -----
>         From: Carlos M Ospina
>         To: snort-users at lists.sourceforge.net
>         Sent: Friday, September 03, 2004 7:08 PM
>         Subject: [Snort-users] E-mail alerting
> 
> 
> 
>         Is there anyway to configure, with acid, automatic alerts by e-mail?
> is ther eany manual about that?
> 
>         Thanks in advance.
> 
> 
>         ---
>         Outgoing mail is certified Virus Free.
>         Checked by AVG anti-virus system (http://www.grisoft.com).
>         Version: 6.0.751 / Virus Database: 502 - Release Date: 9/2/2004
> 
> 
>         ---
>         Outgoing mail is certified Virus Free.
>         Checked by AVG anti-virus system (http://www.grisoft.com).
>         Version: 6.0.760 / Virus Database: 509 - Release Date: 9/10/2004
> 





More information about the Snort-users mailing list