NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2004-09

Re: [Snort-users] E-mail alerting

From: prabu (prabu333hotpop.com)
Date: Sat Sep 04 2004 - 00:30:14 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Carlos,
You can use Swatch to get emails alerts from Snort.

Installing Swatch,is just a child's play,very easier.I have given below the necessary steps to configure Swatch.
Hope,this will be useful.If you have,any queries,you can write to me.............................

Prabu.S

########################################################################################################################

CONFIGURATION STEPS TO SEND SNORT ALERTS AS E-MAIL:

To receives Snort alerts as E-mail, one can follow the following steps:

Swatch is the widely used open source tool to enable E mail alerts in Snort. Swatch is a utility that monitors system log files, filters out
unwanted data and takes specified actions (i.e., sending email, executing a script, etc.) based upon what it finds in the log files. So I have used
Swatch to configure snort to send the alerts as E-mail.

NOTE:
Here, it is considered that snort have been already installed on the host, in which this is to be tested.

[a] Swatch installation:

Download the swatch package, from http://sourceforge.net/project/showfiles.php?group_id=68627
To install, simply issue the following commands:

               perl Makefile.PL
               make
               make test
               make install
              make realclean

Swatch installs just like a CPAN module. If you are not familiar with this process then you may want to read about it by issuing the command:

man ExtUtils::MakeMaker

Use the perldoc command if your man cannot find the document.

If you see messages like these:

Warning: prerequisite Date::Calc 0 not found at (eval 1) line 219.
Warning: prerequisite Date::Parse 0 not found at (eval 1) line 219.
Warning: prerequisite File::Tail 0 not found at (eval 1) line 219.
Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) line 219.

Then you need to install the CPAN module(s) that it doesn't find, before you can use swatch.
You can find these modules at http://search.cpan.org/.

One must download following perl modules from the site search.cpan.org

            1.Bit-Vector-6.3
            2.Date-Calc-5.3
            3.DateManip-5.42a
            4.File-Tail-0.98
            5.Time-HiRes-1.59
            6.TimeDate-1.16

To install these perl modules,one can follow the same steps as said per Swatch,
They are,

             perl Makefile.PL
             make
             make test
             make install
             make realclean

The Swatch binary will be installed at the /opt/perl/bin/ directory

Then create the swatch configuratiobn file.

cat /etc/swatchrc.txt

==========================================================
# Swatch configuration file

       #
       #
       # swatch -c /etc/swatchrc -t /var/log/snort/alert
       #
       ### Snort Alerts
       ## Watch for entries containing the word 'Priority' in the snort alert file.
       ## Display it in green on the screen
       ## Mail alert to alertsyourdomain.com with subject of the email
       ## being "----Snort IDS Alert----"
       ## Log in file /var/log/IDS-scans

       watchfor /Priority/
       echo green_h
       mail addresses=youruseraccountyourdomain.comt ,subject=--- Snort IDS Alert ---
       exec echo $0 >> /var/log/IDS-scans

============================================================

THE FINAL STEPS:

[a] Start Snort in NIDS mode:

#./snort -c /snort/iexpress/snort/etc/snort.conf -l /var/log/snort.

[b] Start swatch:

cd /opt/perl/bin
#./swatch --config-file=/etc/swatchrc.txt

[c] Using Outlook Express:

   configure the User's POP3 account and you can recieve the emails send by Swatch for each alerts based on the patter
   matching the "watchfor"

##########################################################################################################

Cheers,
Prabu.S

  ----- Original Message -----
  From: Carlos M Ospina
  To: snort-userslists.sourceforge.net
  Sent: Friday, September 03, 2004 7:08 PM
  Subject: [Snort-users] E-mail alerting

Is there anyway to configure, with acid, automatic alerts by e-mail? is ther eany manual about that?

Thanks in advance.

  ---
  Outgoing mail is certified Virus Free.
  Checked by AVG anti-virus system (http://www.grisoft.com).
  Version: 6.0.751 / Virus Database: 502 - Release Date: 9/2/2004

-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]