RE: mail notification

["Bob Konigsberg" <bobkberg () networkeval com>]

I'm currently working on something similar, although my intention is to do
daily reports, but I'm doing it entirely outside snort with perl and shell
scripts.

The reason for the daily report is that I'm working with the bleeding-snort
malware rules for identifying spyware which has less urgency than a genuine
break-in.

Depending on what you've got in mind, I'll offer what I'm doing as a
starting point, but here are the basics.

1) Decide if you want periodic or event-driven notification.  For periodic,
then set up the job to run with anacron/vixie-cron/cron/whatever, and stop
snort, rename the alert file to one with a time-stamp as part of the name,
and then restart snort.  If you don't want to risk missing something by
stopping snort, you can probably (meaning I haven't tried it yet) just make
a copy of the current alert file, and diff it with its predecessor to pick
up only the most recent stuff.

2) If you want event-driven notification within snort, I'm clueless, but
someone else may be able to provide that.  Off the top of my head, you could
do the diff trick on a tight schedule.

3) Parse out the alert to ID if it's something you care about.  I started
with the parsing code from snortsnarf (by Stuart Staniford-Chen) and added a
bit more (Alert fields have expanded since he first wrote that code), and
also dropped off stuff that I don't care about.

4) Email (with mailx) the resulting report.

If you want copies of what I'm working on, please reply privately, as I'm
still working on putting it together.

Hope that helps,

Bob


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jimmy Hayes
Sent: Tuesday, December 21, 2004 9:37 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] mail notification

Hello I just finished installing snort Version 2.2.0 (Build 30) with mysql
database and ACID.

My question is, I can see some alerts by going to my ACID site, but is there
a way or an option on snort so That I can e-mail me when an alert is
triggered? I tried looking in the manual but didn't find anything.

thanks



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid reviews
on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users





-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users