Suggestions for best way to get snort alerts

zuessh · 07-12-2004, 01:03 PM

I currently have snort installed on slack 9.1 using mysql and acid. Since acid, to my knowledge, can not automagically send out alert via e-mail what is the best way to get this done?

The best thing I've come up with would be to search the alert log file and if an alert is there have it e-mail to me, however I don't know how to get it to not send duplicate alerts each time it searches. Any suggestions would be greatly appreciated. Thanks

Ztyx · 07-12-2004, 04:34 PM

Make a cron-script which grep:s the alerts and pipe the output to the mail-command. You can also use logrotate to automagically send you the logs (there is a setting for that in /etc/logrotate).

zuessh · 07-13-2004, 07:32 AM

Thanks for the suggestion, however if I grep out certain text how would I stop it from sending the same alerts each time it runs? I'm checking into logsurfer and swatch. Any suggestions or either of them? Thanks

Ztyx · 07-13-2004, 09:52 AM

Quote:

Originally posted by zuessh
Thanks for the suggestion, however if I grep out certain text how would I stop it from sending the same alerts each time it runs?

Oops, that's true. You could also filter out the alerts it prints but normally you shall not change the log files because you might erase some useful informatio... So, forget that idea =)

unSpawn · 07-14-2004, 02:29 PM

I'm sure someone already invented that wheel. Nothing in Snort.org's contrib dir like PigSentry?

zuessh · 07-19-2004, 09:36 AM

With pigsentry how can i get it to only e-mail certain alerts? from what i can tell from the help it is going to e-mail every alert. If i log it to a log file and search the log file I have the same problem as before?

unSpawn · 07-22-2004, 07:29 PM

Dunno. If you're using a logfile I think sending mails using a state file based on either classification or SID should do.

zuessh · 07-26-2004, 09:01 AM

Quote:

Dunno

Good one...

Quote:

If you're using a logfile I think sending mails using a state file based on either classification or SID should do

Okay, here is what i have;
# pigsentry -l /var/snort_log/alert -t /usr/local/pig --state-checkpoint=x

This creates the pigstate file in /usr/local/pig, and from there i can set up a cron job to search the pigstate file for the alerts I am looking for and to make sure the pigstate file gets cleared out so I don't get multiple alerts I can use the --state-expire=x

What I can't seem to figure out is how to only log certain alerts to the statefile? You mentioned using a state file based on classification or SID, how would I accomplish this?

OT question - What do you think about the guy on Jepardy? Is he cheating?

adame780 · 08-13-2004, 09:54 AM

SnortNotify could also be of help.

www.780inc.com/snortnotify/

subaruwrx · 08-29-2004, 09:40 PM

Both logsurfer and swatch should do the job nicely.

I'm also currently looking into logsurfer to check my samba log files.