LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-12-2004, 01:03 PM   #1
zuessh
Member
 
Registered: Jun 2002
Location: USA
Distribution: Suse 8.0
Posts: 247

Rep: Reputation: 30
Suggestions for best way to get snort alerts


I currently have snort installed on slack 9.1 using mysql and acid. Since acid, to my knowledge, can not automagically send out alert via e-mail what is the best way to get this done?

The best thing I've come up with would be to search the alert log file and if an alert is there have it e-mail to me, however I don't know how to get it to not send duplicate alerts each time it searches. Any suggestions would be greatly appreciated. Thanks
 
Old 07-12-2004, 04:34 PM   #2
Ztyx
Member
 
Registered: Dec 2001
Location: Stockholm, Sweden
Distribution: Ubuntu, Kubuntu and Debian
Posts: 338

Rep: Reputation: 30
Make a cron-script which grep:s the alerts and pipe the output to the mail-command. You can also use logrotate to automagically send you the logs (there is a setting for that in /etc/logrotate).
 
Old 07-13-2004, 07:32 AM   #3
zuessh
Member
 
Registered: Jun 2002
Location: USA
Distribution: Suse 8.0
Posts: 247

Original Poster
Rep: Reputation: 30
Thanks for the suggestion, however if I grep out certain text how would I stop it from sending the same alerts each time it runs? I'm checking into logsurfer and swatch. Any suggestions or either of them? Thanks
 
Old 07-13-2004, 09:52 AM   #4
Ztyx
Member
 
Registered: Dec 2001
Location: Stockholm, Sweden
Distribution: Ubuntu, Kubuntu and Debian
Posts: 338

Rep: Reputation: 30
Quote:
Originally posted by zuessh
Thanks for the suggestion, however if I grep out certain text how would I stop it from sending the same alerts each time it runs?
Oops, that's true. You could also filter out the alerts it prints but normally you shall not change the log files because you might erase some useful informatio... So, forget that idea =)
 
Old 07-14-2004, 02:29 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,406
Blog Entries: 55

Rep: Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578
I'm sure someone already invented that wheel. Nothing in Snort.org's contrib dir like PigSentry?
 
Old 07-19-2004, 09:36 AM   #6
zuessh
Member
 
Registered: Jun 2002
Location: USA
Distribution: Suse 8.0
Posts: 247

Original Poster
Rep: Reputation: 30
With pigsentry how can i get it to only e-mail certain alerts? from what i can tell from the help it is going to e-mail every alert. If i log it to a log file and search the log file I have the same problem as before?
 
Old 07-22-2004, 07:29 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,406
Blog Entries: 55

Rep: Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578
Dunno. If you're using a logfile I think sending mails using a state file based on either classification or SID should do.
 
Old 07-26-2004, 09:01 AM   #8
zuessh
Member
 
Registered: Jun 2002
Location: USA
Distribution: Suse 8.0
Posts: 247

Original Poster
Rep: Reputation: 30
Quote:
Dunno
Good one...


Quote:
If you're using a logfile I think sending mails using a state file based on either classification or SID should do
Okay, here is what i have;
# pigsentry -l /var/snort_log/alert -t /usr/local/pig --state-checkpoint=x

This creates the pigstate file in /usr/local/pig, and from there i can set up a cron job to search the pigstate file for the alerts I am looking for and to make sure the pigstate file gets cleared out so I don't get multiple alerts I can use the --state-expire=x

What I can't seem to figure out is how to only log certain alerts to the statefile? You mentioned using a state file based on classification or SID, how would I accomplish this?


OT question - What do you think about the guy on Jepardy? Is he cheating?
 
Old 08-13-2004, 09:54 AM   #9
adame780
LQ Newbie
 
Registered: Aug 2004
Posts: 1

Rep: Reputation: 0
SnortNotify could also be of help.

www.780inc.com/snortnotify/
 
Old 08-29-2004, 09:40 PM   #10
subaruwrx
Member
 
Registered: Mar 2004
Distribution: Ubuntu Feisty
Posts: 641

Rep: Reputation: 30
Both logsurfer and swatch should do the job nicely.

I'm also currently looking into logsurfer to check my samba log files.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
snort alerts lord-fu Linux - Security 1 11-25-2005 03:28 PM
Snort Alerts ?? zahra79 Linux - Networking 5 06-22-2005 05:11 AM
Snort does not log alerts soren625 Linux - Security 0 02-10-2005 06:35 AM
Snort only alerts snmp gummimann Linux - Security 5 02-04-2004 01:03 PM
Snort Alerts knight_ridda Linux - Security 13 06-21-2003 04:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:13 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration