Is there any way to setup scheduled automatic Email Snort alerts?
old Eagle-X solution used to have this automatic email alerts..
any third party solution or new feature in BASE or SNORT that does this?
I'll create a feature request for this - it is a 'nice to have' I've thought about many times myself. Though I'd like to integrate GPG/PGP as well for secure transit.
yes, there is: FLoP offers a possibility to send emails on alerts:
FLoP (Fast Logging Project for Snort) is an alternative to barnyard, and in my humble opinion a much better one. Using an external tool, be it FLoP or barnyard or mudpit, is generally recommended,
because this way snort itself does not need to insert the alerts into the database, any more.
This time consuming task has been taken over by FLoP (or barnyard, mudpit).
FLoP consists of 4 processes. One of them,
called "alert", can automatically send emails when one or more alerts occur.
This would require the following configuration:
# If you want to get an email after each single alert:
# If not, resort to AlarmDelay
# Receive alerts with a priority of 1 or 2:
BASE is actually not the most appropriate tool for this, because it is a viewer that
is not used all the time. But you need something, that sends email all the time, if necessary, regardless of whether anybody watches or not.
I made a mistake with regard to servsock.conf:
# If you want to receive alerts with
# priorities 1 or 2, then you must
# UnixSocketPriority: -3
# Receive alerts with a priority of 1 only:
In my environment I have snort log to both (from snort.conf):
output alert_syslog: LOG_AUTH LOG_ALERT
output log_unified: filename snort_unified.log, limit 128
I then use swatch (http://swatch.sourceforge.net/) to monitor my LOG_AUTH file for specific strings (using regex) and have it generate emails. It works pretty well, except I've had swatch lose it's head, so I cron'ed a daily restart of the process.
I use barnyard to monitor the log_unified file and place the alerts in BASE.
I know this isn't an answer of using base or snort to have email alerts mailed automatically, but we have had very good luck using ossec (ossec.net) for having alerts mailed automatically.
Using Ossec you configure a host as the controller for ossec and then install an agent on your snort box. Ossec assigns a numerical value to each type of alert and you can specify when to email the alerts based on this value.
Log in to post a comment.
Sign up for the SourceForge newsletter:
You seem to have CSS turned off.
Please don't fill out this field.