Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-12-2004, 02:03 PM
|
#1
|
Member
Registered: Jun 2002
Location: USA
Distribution: Suse 8.0
Posts: 247
Rep:
|
Suggestions for best way to get snort alerts
I currently have snort installed on slack 9.1 using mysql and acid. Since acid, to my knowledge, can not automagically send out alert via e-mail what is the best way to get this done?
The best thing I've come up with would be to search the alert log file and if an alert is there have it e-mail to me, however I don't know how to get it to not send duplicate alerts each time it searches. Any suggestions would be greatly appreciated. Thanks
|
|
|
07-12-2004, 05:34 PM
|
#2
|
Member
Registered: Dec 2001
Location: Stockholm, Sweden
Distribution: Ubuntu, Kubuntu and Debian
Posts: 338
Rep:
|
Make a cron-script which grep:s the alerts and pipe the output to the mail-command. You can also use logrotate to automagically send you the logs (there is a setting for that in /etc/logrotate).
|
|
|
07-13-2004, 08:32 AM
|
#3
|
Member
Registered: Jun 2002
Location: USA
Distribution: Suse 8.0
Posts: 247
Original Poster
Rep:
|
Thanks for the suggestion, however if I grep out certain text how would I stop it from sending the same alerts each time it runs? I'm checking into logsurfer and swatch. Any suggestions or either of them? Thanks
|
|
|
07-13-2004, 10:52 AM
|
#4
|
Member
Registered: Dec 2001
Location: Stockholm, Sweden
Distribution: Ubuntu, Kubuntu and Debian
Posts: 338
Rep:
|
Quote:
Originally posted by zuessh
Thanks for the suggestion, however if I grep out certain text how would I stop it from sending the same alerts each time it runs?
|
Oops, that's true. You could also filter out the alerts it prints but normally you shall not change the log files because you might erase some useful informatio... So, forget that idea =)
|
|
|
07-14-2004, 03:29 PM
|
#5
|
Moderator
Registered: May 2001
Posts: 29,415
|
I'm sure someone already invented that wheel. Nothing in Snort.org's contrib dir like PigSentry?
|
|
|
07-19-2004, 10:36 AM
|
#6
|
Member
Registered: Jun 2002
Location: USA
Distribution: Suse 8.0
Posts: 247
Original Poster
Rep:
|
With pigsentry how can i get it to only e-mail certain alerts? from what i can tell from the help it is going to e-mail every alert. If i log it to a log file and search the log file I have the same problem as before?
|
|
|
07-22-2004, 08:29 PM
|
#7
|
Moderator
Registered: May 2001
Posts: 29,415
|
Dunno. If you're using a logfile I think sending mails using a state file based on either classification or SID should do.
|
|
|
07-26-2004, 10:01 AM
|
#8
|
Member
Registered: Jun 2002
Location: USA
Distribution: Suse 8.0
Posts: 247
Original Poster
Rep:
|
Good one...
Quote:
If you're using a logfile I think sending mails using a state file based on either classification or SID should do
|
Okay, here is what i have;
# pigsentry -l /var/snort_log/alert -t /usr/local/pig --state-checkpoint=x
This creates the pigstate file in /usr/local/pig, and from there i can set up a cron job to search the pigstate file for the alerts I am looking for and to make sure the pigstate file gets cleared out so I don't get multiple alerts I can use the --state-expire=x
What I can't seem to figure out is how to only log certain alerts to the statefile? You mentioned using a state file based on classification or SID, how would I accomplish this?
OT question - What do you think about the guy on Jepardy? Is he cheating?
|
|
|
08-29-2004, 10:40 PM
|
#10
|
Member
Registered: Mar 2004
Distribution: Ubuntu Feisty
Posts: 641
Rep:
|
Both logsurfer and swatch should do the job nicely.
I'm also currently looking into logsurfer to check my samba log files.
|
|
|
All times are GMT -5. The time now is 05:27 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|