Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I currently have snort installed on slack 9.1 using mysql and acid. Since acid, to my knowledge, can not automagically send out alert via e-mail what is the best way to get this done?
The best thing I've come up with would be to search the alert log file and if an alert is there have it e-mail to me, however I don't know how to get it to not send duplicate alerts each time it searches. Any suggestions would be greatly appreciated. Thanks
Make a cron-script which grep:s the alerts and pipe the output to the mail-command. You can also use logrotate to automagically send you the logs (there is a setting for that in /etc/logrotate).
Thanks for the suggestion, however if I grep out certain text how would I stop it from sending the same alerts each time it runs? I'm checking into logsurfer and swatch. Any suggestions or either of them? Thanks
Originally posted by zuessh Thanks for the suggestion, however if I grep out certain text how would I stop it from sending the same alerts each time it runs?
Oops, that's true. You could also filter out the alerts it prints but normally you shall not change the log files because you might erase some useful informatio... So, forget that idea =)
With pigsentry how can i get it to only e-mail certain alerts? from what i can tell from the help it is going to e-mail every alert. If i log it to a log file and search the log file I have the same problem as before?
If you're using a logfile I think sending mails using a state file based on either classification or SID should do
Okay, here is what i have;
# pigsentry -l /var/snort_log/alert -t /usr/local/pig --state-checkpoint=x
This creates the pigstate file in /usr/local/pig, and from there i can set up a cron job to search the pigstate file for the alerts I am looking for and to make sure the pigstate file gets cleared out so I don't get multiple alerts I can use the --state-expire=x
What I can't seem to figure out is how to only log certain alerts to the statefile? You mentioned using a state file based on classification or SID, how would I accomplish this?
OT question - What do you think about the guy on Jepardy? Is he cheating?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.