I don't know if it's possible, but I can't find any info explaining how to make a rule in snort.conf to send an email when an alert has been activated.

For instance, I'm running an alert for port 80 for a certain website. Snort catches the alert and logs the info in a file. But, I want to be able to email the alert ONLY when it happens.

Again, I can't find any rules for snort that suggest this can be done in the snort.conf file.

But, what about command line piping?

The problem can easily be solved by piping the snort command with ; mail -s "alert" root
or snort commands ; cat alerfile | mail -s "alert" root

However, you have to ctrl+c to get the snort command to exit in order to run the other commands on the commandline. No big deal, but the other comamnds will run no matter what after the break sequence and send a useless email even if no alerts were done, not to mention that's not very automated.

Which brings me to my next question:

Is there anyway to get snort to exit gracefully after an alert is detected?

http://www.snort.org/docs/faq.html#5.7

Snort doesn't have a email capability itself and you need to be carefull not to have every an email sent for every sinlgle alert (especially if you haven't fine-tuned your snort rules) otherwise you can bog down the Snort sensor and mailbomb the machine you are sending email alerts to. Basically what you're doing is sending alerts to a log file and using a log parsing utility to extract various alerts and send an email. This way you don't have to terminate the Snort process, which would probably be a bad idea (Snort might see an initial port scan and terminate, but would miss the subsequent exploit code).

yeah, that's what I found. you have to use another program to monitor snort...kind of lame.



The link you posted suggests to use either 'swatch' or 'logcheck' to do this monitoring. What do you suggest?

" ruletype redalert
{
type alert
output alert_syslog: LOG_LOCAL2
output database: alert, postgresql, user=user dbname=snort password=pwd
}"

That's the code that would have to be inserted into snort.conf, apparently. the 'output databse' line isnt necessary, is it?

yeah, that's what I found. you have to use another program to monitor snort...kind of lame.
Snort is really designed to be a highly efficient IDS that can handle a pretty substantial load and doesn't really have alot of "bells-and-whistles". Most of those are third-party add-ons.

The link you posted suggests to use either 'swatch' or 'logcheck' to do this monitoring. What do you suggest?
I haven't used either one extensively enough to say which is better.

That's the code that would have to be inserted into snort.conf, apparently. the 'output databse' line isn't necessary, is it?
I believe that's for logging to the database as well as to the syslog facility. Without it, you'd probably just send alerts to syslog and not have them show up to your db.