[Snort-users] automatically generate and email a daily report?

Martin Holste mcholste at ...11827...
Tue Dec 13 12:09:58 EST 2011


If you're only processing the alerts, then Splunk personal edition
will almost certainly remain under 500 MB per day, which is the limit
of the free version.  If you really only want a printout, then do
something like what James is doing with a shell script as you're not
going to beat that for simplicity.  However, if you use Splunk, then
doing the drill-down becomes much easier.

Since you're not up for even Snorby, it's probably not for you, but my
ELSA log project is for industrial-strength searching/reporting which
would do what you want, albeit with a bit more setup.  I will lastly
point you to Security Onion, which is an ISO that will have you up and
running with Snort and Sguil (a solid interface for viewing Snort
alert data as well as session and other data) in minutes with minimal
configuration.

On Mon, Dec 12, 2011 at 3:23 PM, Lay, James <james.lay at ...15009...> wrote:
>> -----Original Message-----
>> From: MLP SCADA [mailto:MLPSCADA at ...15411...]
>> Sent: Monday, December 12, 2011 1:38 PM
>> To: 'snort-users at lists.sourceforge.net'
>> Subject: [Snort-users] automatically generate and email a daily
> report?
>>
>>
>> Hey folks.
>>
>> I've got snort/barnyard2 populating a mysql database.  I've got base
> running as a front end.
>>
>> What I'd like to do is automatically email a once a day summary of of
> the last 24 hours unique alerts to the on-
>> calls, similar to the unique daily summary that base provides.
>>
> <snip>
>> What other options do folks use for a daily summary email to the
> relevant folks?
>>
>> Thanks!
>
> I use the fast file as the method of finding alerts types....then send
> that yesterdaysalerts.txt to yourself and away you go.  I have this run
> in a cron job at 11:59 and am greeted with a slick email at 8 am
> everyday with all the types of crud that happened the day before.
> Season to taste for file locals...hope that helps.
>
> James
>
> #!/bin/bash
> sudo grep `date +%m/%d` /var/log/all.fast |  awk ' { for (i=3; i<=NF;
> i++) printf("%s ", $i); printf("\n") } ' | grep -v SHELLCODE | sed
> s/Priority.*$// |  sed 's/\[$//' | sort -u > yesterdaysalerts.txt
>
>
>
> ------------------------------------------------------------------------------
> Learn Windows Azure Live!  Tuesday, Dec 13, 2011
> Microsoft is holding a special Learn Windows Azure training event for
> developers. It will provide a great way to learn Windows Azure and what it
> provides. You can attend the event by watching it streamed LIVE online.
> Learn more at http://p.sf.net/sfu/ms-windowsazure
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list