Snort mailing list archives
Re: Real-time email notification
From: Blake Frantz <blake () mc net>
Date: Tue, 3 Jul 2001 10:54:02 -0500 (CDT)
I wrote my own that daemonizes and has a filtering option. If the
contents of @Filter are matched in the alert line, it won't send the
email. It serves its purpose.
I tested it on Redhat and BSDi with PERL5.
-Blake
<code>
#!/usr/bin/perl
use IO::Handle;
use strict;
my $Sendmail = "/usr/sbin/sendmail";
my $LogFile = "/var/log/snort/alert";
my @Filter = qw("Destination Unreachable", "Time Exceeded");
my $Email = "admin\@net.org";
#leave the rest alone.
my $CurPos = "";
my $LogLine = "";
my $MailIt = 1;
my $PID = fork;
exit if $PID;
die("Error.") unless defined($PID);
pipe(CHILDREAD, CHILDWRITE);
CHILDWRITE->autoflush(1);
if(fork()) {
open(FILE,"$LogFile");
for (;;) {
for ($CurPos = tell(FILE); $_ = <FILE>;
$CurPos = tell(FILE)) {
print CHILDWRITE $_;
}
seek(FILE, $CurPos, 0);
sleep(1);
}
close(FILE);
exit(0)
}else {
while(1) {
$LogLine = <CHILDREAD>;
foreach(@Filter){
if($LogLine=~m/$_/){
$MailIt = 0;
}
}
if($MailIt) {
open(MAIL,"|$Sendmail -t");
print MAIL "To: $Email\n";
print MAIL "From: SnortAlert\n";
print MAIL "Subject: Snort Alert\n";
print MAIL "\n$LogLine\n";
close(MAIL);
}
$MailIt = 1;
}
}
</code>
=================================================================
The Government, like diapers, should be replaced regularly, and
often for the same reasons.
On Tue, 3 Jul 2001, Michael Pickert wrote:
Hi, can anybody tell me a way to check the snort-logfiles in real-time and send a email to the admin as a notificaiton of a alert? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Real-time email notification Michael Pickert (Jul 03)
- Re: Real-time email notification A.L.Lambert (Jul 03)
- Re: Real-time email notification Tim Olson (Jul 03)
- Re: Real-time email notification Brian Carpio (Jul 03)
- Re: Real-time email notification Blake Frantz (Jul 03)
- Re: Real-time email notification Blake Frantz (Jul 03)