[Snort-users] E-mail alerting

Andy andy at ...12349...
Sun Sep 19 20:31:02 EDT 2004


-----Original Message-----
From: Andy [mailto:andy at ...12349...]
Sent: Sunday, September 19, 2004 10:21 PM
To: Jason; snort-users at ...7270...
Subject: RE: [Snort-users] E-mail alerting



Well, I've changed swatchrc.txt back to logging to /var/log/IDS-scans, but
not seeing a difference.

started snort: [root at ...12350... andy]# snort -c /etc/snort/snort.conf -l
/var/log/IDS-scans

snort is actively logging.

started swatch: [root at ...12350... andy]# swatch --config-file=/etc/swatchrc.txt

after emailing the first alert, even if I restart both snort and swatch,
still nothing.

I can only seem to get it to work 1 time if I reboot the box.

any other ideas?

Andy
-----Original Message-----
From: Jason [mailto:security at ...5028...]
Sent: Sunday, September 19, 2004 9:57 PM
To: Andy
Subject: Re: [Snort-users] E-mail alerting


could this be related to the change you made to the logging path?

Andy wrote:

> Urr.. maybe not.  Swatch seems to be working until it gets the first
alert.
>
> Upon getting the alert this message comes up:
>
> *** swatch version 3.1.1 (pid:901) started at Sun Sep 19 19:34:12 CDT 2004
>
> sh: /var/log/snort: Is a directory
>
> after this, swatch does not send anymore email alerts. Snort continues to
> log as normal.
>
> Anybody?
>
> Andy
>   -----Original Message-----
>   From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Andy
>   Sent: Sunday, September 19, 2004 6:20 PM
>   To: snort-users at lists.sourceforge.net
>   Subject: RE: [Snort-users] E-mail alerting
>
>
>   OK, the mail issue is fixed. I needed to add "tunes.page55.com" to my
> relay_from_host list in the mail servers main config file.
>
>   AND Swatch works!  Thanks to all who gave their input.
>
>   This issue is offically closed!
>
>   Andy
>     -----Original Message-----
>     From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Andy
>     Sent: Saturday, September 18, 2004 10:36 PM
>     To: snort-users at lists.sourceforge.net
>     Subject: RE: [Snort-users] E-mail alerting
>
>
>     I'm now thinking it may be a Mail problem, because I can't send a test
> message to the mailserver.  I know this isn't the place for mail support,
> but just hoping someone would be able to give input either way by looking
at
> my mail test:
>     ----------------------------------------------------------------------
--
> ---------
>     [andy at ...12350... andy]$ mail -iInv -s "testing" andy at ...12349...
>     EOT
>     Null message body; hope that's ok
>     andy at ...12449... Connecting to mail.page55.com. via esmtp...
>     220 simon.page55.com ESMTP Exim 4.30 Sat, 18 Sep 2004 22:33:36 -0500
>     >>> EHLO tunes.page55.com
>     250-simon.page55.com Hello tunes.page55.com [192.168.1.1]
>     250-SIZE 52428800
>     250-PIPELINING
>     250 HELP
>     >>> MAIL From:<andy at ...12450...> SIZE=38
>     250 OK
>     >>> RCPT To:<andy at ...12349...>
>     550-Verification failed for <andy at ...12450...>
>     550-Unrouteable address
>     550 Sender verify failed
>     >>> RSET
>     250 Reset OK
>     /home/andy/dead.letter... Saved message in /home/andy/dead.letter
>     Closing connection to mail.page55.com.
>     >>> QUIT
>     221 simon.page55.com closing connection
>     ----------------------------------------------------------------------
--
> -----------
>
>     FYI, I've never tried to send emails from this box before...
>
>     Thanks,
>     Andy
>       -----Original Message-----
>       From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Andy
>       Sent: Saturday, September 18, 2004 10:00 PM
>       To: snort-users at lists.sourceforge.net
>       Subject: RE: [Snort-users] E-mail alerting
>
>
>       JUST SOME ADDITIONAL INFORMATION:
>       you wrote:
>       >     I was busy with my work for past three days,I didn't even
check
> snort list.Just now,I checked my mails,saw ur request.Well,I could not get
> into a conclusion,what might be     >  the error.Send the line in ur
> script(ie,/root/.swatch_script.3238 ),where the error points out.I
think,the
> mail-id was the problem
>       > for the error.
>
>
>       this is line 125 that was giving me the error before I removed the
> ADDRESS portion of the mail command:
>       --------------------------------------------------------------------
--
> ----------------------------------------------------
>        $swatch_last_flush = $swatch_time_now;
>           }
>
>           if (/Priority/) {
>               &Swatch::Actions::send_email('ADDRESSES' =>
> "andy\@page55.com", 'MESSAGE' => "$_", 'SUBJECT' => "--- Snort IDS
> Alert ---", );
>               &Swatch::Actions::exec_command('MESSAGE' => "$_", 'COMMAND'
=>
> "echo $0 >> /var/log/snort", );
>             next;
>       --------------------------------------------------------------------
--
> -----------------------------------------
>
>       AND FYI, I DID verify that snort is actively logging .....
>
>       thanks,
>       Andy
>         -----Original Message-----
>         From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Andy
>         Sent: Saturday, September 18, 2004 9:34 PM
>         To: snort-users at lists.sourceforge.net
>         Subject: RE: [Snort-users] E-mail alerting
>
>
>         Ok, I think I'm getting close.
>
>
>         In /etc/swatchrc.txt,  I removed the ADDRESS part of the mail
> command, and swatch now runs, AND the /root/.swatch_script.1234 file is
> created and I can actually find it.
>
>         I get this:
>         *** swatch version 3.1.1 (pid:2009) started at Sat Sep 18 19:44:05
> CDT 2004
>
>         To test, I did a port scan, and this popped up:
>
>         Invalid attribute name green_h at
> /usr/lib/perl5/site_perl/5.6.1/Swatch/Actions.pm line 58
>
>          I commented the "echo green_h" line out, and I don't get the
> "Invalid attribute name........" error anymore.
>
>         Still not getting email alerts however. Do I need the "echo
green_h"
> ?  I would think not....
>
>         Next, I changed the logging path, to /var/log/snort to match
snort:
>
>         [root at ...12350... andy]# snort -c /etc/snort/snort.conf -l
/var/log/snort
>         Running in IDS mode
>         Log directory = /var/log/snort
>
>         Still not getting email alerts however.
>
>         This is my current swatchrc file:
>
>         [root at ...12350... etc]# more swatchrc.txt
>         # Swatch configuration file
>
>                #
>                #
>                # swatch -c /etc/swatchrc -t /var/log/snort/alert
>                #
>                ###   Snort Alerts
>                ##  Watch for entries containing the word 'Priority'  in
the
> snort alert file.
>                ##  Display it in green on the screen
>                ##  Mail alert to alerts at ...10224... with subject of the
> email
>                ##   being "----Snort IDS Alert----"
>                ##  Log in file /var/log/IDS-scans
>
>
>                watchfor /Priority/
>               # echo green_h
>                mail andy at ...12349... ,subject=--- Snort IDS Alert ---
>                exec echo $0 >> /var/log/snort
>
>         Any ideas, I've got to be sooooo close.....
>
>         Thanks,
>
>         Andy
>           -----Original Message-----
>           From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Andy
>           : Saturday, September 18, 2004 8:01 PM
>           To: snort-users at lists.sourceforge.net
>           Subject: RE: [Snort-users] E-mail alerting
>
>
>           Hi Prabu,
>
>           I cannot find this file. Locate does not find any files named
> swatch_script.*
>
>           Snort and Swatch are installed on the "tunes.page55.com" server,
> and the mailserver I want alerts to be sent to is another server called
> "page55.com"
>
>           Do I need a mail client running on Tunes? Sendmail is there by
> default. I'm not sure how it works, but I'm guessing that Snort would use
> the default email client to send an email...
>
>           Thankyou for your reply, I wish I could get you the script
info...
> I will continue hunting .....
>
>           Andy
>
>
>
>            -----Original Message-----
>           From: prabu [mailto:prabu333 at ...8908...]
>           Sent: Tuesday, September 14, 2004 1:08 AM
>           To: Andy; snort-users at lists.sourceforge.net
>           Subject: Re: [Snort-users] E-mail alerting
>
>
>             Hi Andy,
>                   I was busy with my work for past three days,I didn't
even
> check snort list.Just now,I checked my mails,saw ur request.Well,I could
not
> get into a conclusion,what might be the error.Send the line in ur
> script(ie,/root/.swatch_script.3238 ),where the error points out.I
think,the
> mail-id was the problem
>             for the error.
>
>             First,R u running snort on "page555" server or "tunes"
> server.What is the hostname of the machine,where u have installed Snort
and
> Swatch.
>             See,u can send alerts to the useraccounts on the machine,where
u
> have installed all thoses stuffs.So change the email-id in the
configuration
> file.
>             This would help U,I hope.
>
>             NOTE:
>             /root/.swatch_script.3238  ----.this is the script that is
> generated automatically,while running swatch.
>
>
>
>             Cheers,
>             Prabu.S
>               ----- Original Message -----
>               From: Andy
>               To: prabu ; snort-users at lists.sourceforge.net
>               Sent: Monday, September 13, 2004 5:34 AM
>               Subject: RE: [Snort-users] E-mail alerting
>
>
>               Hi Prabu,
>
>               Excellent post, it prompted me to check out swatch. I had to
> install the CPAN mods and the only thing different was that I had to
install
> Time-HiRes-1.63 instead of
>               Time-HiRes-1.59
>
>               They all installed ok.
>
>               I'm trying to get swatch to read the config file. I followed
> the directions, but I'm getting an error:
>
>               [root at ...12350... etc]# swatch --config-file=/etc/swatchrc.txt
>               Global symbol "@page55" requires explicit package name at
> /root/.swatch_script.3238 line 125.
>               Execution of /root/.swatch_script.3238 aborted due to
> compilation errors.
>
>               I put the config file in /etc and copied it exactly from
> below, except of course I inserted my own email address.
>
>               Do you know what this error means?
>
>               What is the meaning of the line: /root/.swatch_script.3238
> line 125.  (specifically the /root/ part.)
>
>               Thanks,
>
>               Drew
>                 -----Original Message-----
>                 From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of prabu
>                 Sent: Saturday, September 04, 2004 12:30 AM
>                 To: snort-users at lists.sourceforge.net; Carlos M Ospina
>                 Subject: Re: [Snort-users] E-mail alerting
>
>
>                 Hello Carlos,
>                             You can use Swatch to get emails alerts from
> Snort.
>
>                  Installing Swatch,is just a child's play,very easier.I
have
> given below the necessary steps to configure Swatch.
>                 Hope,this will be useful.If you have,any queries,you can
> write to me.............................
>
>
>                 Prabu.S
>
>
>
>
>
############################################################################
> ############################################
>
>
>
>                 CONFIGURATION STEPS TO SEND SNORT ALERTS AS E-MAIL:
>
>
>
>                 To receives Snort alerts as E-mail, one can follow the
> following steps:
>
>                                   Swatch is the widely used open source
tool
> to enable E mail alerts in Snort. Swatch is a utility that monitors system
> log files, filters out
>                 unwanted data and takes specified actions (i.e., sending
> email, executing a script, etc.) based upon what it finds in the log
files.
> So I have used
>                 Swatch to configure snort to send the alerts as E-mail.
>
>                 NOTE:
>                   Here, it is considered that snort have been already
> installed on the host, in which this is to be tested.
>
>                 [a] Swatch installation:
>
>                 Download the swatch package, from
> http://sourceforge.net/project/showfiles.php?group_id=68627
>                 To install, simply issue the following commands:
>
>                                perl Makefile.PL
>                                make
>                                make test
>                                make install
>                               make realclean
>
>                 Swatch installs just like a CPAN module. If you are not
> familiar with this process then you may want to read about it by issuing
the
> command:
>
>                 man ExtUtils::MakeMaker
>
>                 Use the perldoc command if your man cannot find the
> document.
>
>                 If you see messages like these:
>
>                 Warning: prerequisite Date::Calc 0 not found at (eval 1)
> line 219.
>                 Warning: prerequisite Date::Parse 0 not found at (eval 1)
> line 219.
>                 Warning: prerequisite File::Tail 0 not found at (eval 1)
> line 219.
>                 Warning: prerequisite Time::HiRes 1.12 not found at (eval
1)
> line 219.
>
>
>                 Then you need to install the CPAN module(s) that it
doesn't
> find, before you can use swatch.
>                 You can find these modules at http://search.cpan.org/.
>
>                 One must download following perl modules from the site
> search.cpan.org
>
>                             1.Bit-Vector-6.3
>                             2.Date-Calc-5.3
>                             3.DateManip-5.42a
>                             4.File-Tail-0.98
>                             5.Time-HiRes-1.59
>                             6.TimeDate-1.16
>
>                 To install these perl modules,one can follow the same
steps
> as said per Swatch,
>                 They are,
>
>                              perl Makefile.PL
>                              make
>                              make test
>                              make install
>                              make realclean
>
>                 The Swatch binary will be installed at the /opt/perl/bin/
> directory
>
>                 Then create the swatch configuratiobn file.
>
>                 cat /etc/swatchrc.txt
>
>                 ==========================================================
>                 # Swatch configuration file
>
>                        #
>                        #
>                        # swatch -c /etc/swatchrc -t /var/log/snort/alert
>                        #
>                        ###   Snort Alerts
>                        ##  Watch for entries containing the word
'Priority'
> in the snort alert file.
>                        ##  Display it in green on the screen
>                        ##  Mail alert to alerts at ...10224... with
subject
> of the email
>                        ##   being "----Snort IDS Alert----"
>                        ##  Log in file /var/log/IDS-scans
>
>
>                        watchfor /Priority/
>                        echo green_h
>                        mail addresses=youruseraccount at ...12390...
> ,subject=--- Snort IDS Alert ---
>                        exec echo $0 >> /var/log/IDS-scans
>
>
> ============================================================
>
>                 THE FINAL STEPS:
>
>                 [a] Start Snort in NIDS mode:
>
>                   #./snort -c /snort/iexpress/snort/etc/snort.conf -l
> /var/log/snort.
>
>                 [b] Start swatch:
>
>                   cd /opt/perl/bin
>                   #./swatch --config-file=/etc/swatchrc.txt
>
>                 [c] Using Outlook Express:
>
>                    configure the User's POP3 account and you can recieve
the
> emails send by Swatch for each alerts based on the patter
>                    matching the "watchfor"
>
>
>
>
>
############################################################################
> ##############################
>
>
>                 Cheers,
>                 Prabu.S
>
>
>
>
>
>                   ----- Original Message -----
>                   From: Carlos M Ospina
>                   To: snort-users at lists.sourceforge.net
>                   Sent: Friday, September 03, 2004 7:08 PM
>                   Subject: [Snort-users] E-mail alerting
>
>
>
>                   Is there anyway to configure, with acid, automatic
alerts
> by e-mail? is ther eany manual about that?
>
>                   Thanks in advance.
>
>
>                   ---
>                   Outgoing mail is certified Virus Free.
>                   Checked by AVG anti-virus system
(http://www.grisoft.com).
>                   Version: 6.0.751 / Virus Database: 502 - Release Date:
> 9/2/2004
>
>
>                   ---
>                   Outgoing mail is certified Virus Free.
>                   Checked by AVG anti-virus system
(http://www.grisoft.com).
>                   Version: 6.0.760 / Virus Database: 509 - Release Date:
> 9/10/2004
>






More information about the Snort-users mailing list