LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Suggestions for best way to get snort alerts (https://www.linuxquestions.org/questions/linux-security-4/suggestions-for-best-way-to-get-snort-alerts-204142/)

zuessh 07-12-2004 01:03 PM
Suggestions for best way to get snort alerts
 
I currently have snort installed on slack 9.1 using mysql and acid. Since acid, to my knowledge, can not automagically send out alert via e-mail what is the best way to get this done?

The best thing I've come up with would be to search the alert log file and if an alert is there have it e-mail to me, however I don't know how to get it to not send duplicate alerts each time it searches. Any suggestions would be greatly appreciated. Thanks

Ztyx 07-12-2004 04:34 PM
Make a cron-script which grep:s the alerts and pipe the output to the mail-command. You can also use logrotate to automagically send you the logs (there is a setting for that in /etc/logrotate).

zuessh 07-13-2004 07:32 AM
Thanks for the suggestion, however if I grep out certain text how would I stop it from sending the same alerts each time it runs? I'm checking into logsurfer and swatch. Any suggestions or either of them? Thanks

Ztyx 07-13-2004 09:52 AM
Quote:
Originally posted by zuessh
Thanks for the suggestion, however if I grep out certain text how would I stop it from sending the same alerts each time it runs?
Oops, that's true. You could also filter out the alerts it prints but normally you shall not change the log files because you might erase some useful informatio... So, forget that idea =)

unSpawn 07-14-2004 02:29 PM
I'm sure someone already invented that wheel. Nothing in Snort.org's contrib dir like PigSentry?

zuessh 07-19-2004 09:36 AM
With pigsentry how can i get it to only e-mail certain alerts? from what i can tell from the help it is going to e-mail every alert. If i log it to a log file and search the log file I have the same problem as before?

unSpawn 07-22-2004 07:29 PM
Dunno. If you're using a logfile I think sending mails using a state file based on either classification or SID should do.

zuessh 07-26-2004 09:01 AM
Quote:
Dunno
Good one...


Quote:
If you're using a logfile I think sending mails using a state file based on either classification or SID should do
Okay, here is what i have;
# pigsentry -l /var/snort_log/alert -t /usr/local/pig --state-checkpoint=x

This creates the pigstate file in /usr/local/pig, and from there i can set up a cron job to search the pigstate file for the alerts I am looking for and to make sure the pigstate file gets cleared out so I don't get multiple alerts I can use the --state-expire=x

What I can't seem to figure out is how to only log certain alerts to the statefile? You mentioned using a state file based on classification or SID, how would I accomplish this?


OT question - What do you think about the guy on Jepardy? Is he cheating?

adame780 08-13-2004 09:54 AM
SnortNotify could also be of help.

www.780inc.com/snortnotify/

subaruwrx 08-29-2004 09:40 PM
Both logsurfer and swatch should do the job nicely.

I'm also currently looking into logsurfer to check my samba log files.


All times are GMT -5. The time now is 07:18 AM.