Difference between revisions of "SNORT: email alert"
Onnowpurbo (talk | contribs) (Created page with "Sumber: https://www.safaribooksonline.com/library/view/snort-cookbook/0596007914/ch02s16.html 2.15. Logging to Email Problem You want to send your Snort logs to email. Sol...") |
Onnowpurbo (talk | contribs) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
Sumber: https://www.safaribooksonline.com/library/view/snort-cookbook/0596007914/ch02s16.html | Sumber: https://www.safaribooksonline.com/library/view/snort-cookbook/0596007914/ch02s16.html | ||
+ | |||
+ | |||
+ | Since I had to piece this together from many sites, I'm adding this here in the interest of completeness: | ||
+ | |||
+ | If you need a more robust tool for and intrusion detection system (IDS), snort bundles swatch with other tools to provide a more comprehensive solution. I'm using swatch to monitor non-system application logs. Otherwise, you're probably reinventing the wheel. | ||
+ | |||
+ | The swatch command: | ||
+ | Code: | ||
+ | |||
+ | swatch --config-file=swatch-auth.conf --tail-file=/var/log/auth.log --tail-args=--follow=name --daemon | ||
+ | |||
+ | swatch -- by itself uses the hidden ~.swatchrc file as its config file and the /var/logs/syslog as the tail file to watch. | ||
+ | --config-file=<filename> -- tells swatch to use a different config file. | ||
+ | --tail-file=<filename> -- tells swatch to use a different tail file (the log to watch). | ||
+ | --tail-args=--follow=name -- tells the tail program to use the --follow=name argument instead of the -f argument. This keeps tail from "stopping" when the log rotates because tail --follow=name follows the filename, not the node id as tail -f does. Tail looks like it stopped because you're still tailing the old rolled off log file. This precludes the need to stop and start swatch for log rolling. | ||
+ | --daemon -- tell swatch to run the process in the background so you don't have to leave it open in an authenticated terminal. | ||
+ | |||
+ | |||
+ | A sample config entry to send an email (using postfix's sendmail interface) and a text message (ATT -- look up your carrier) when someone tries to su to root: | ||
+ | |||
+ | Code: | ||
+ | |||
+ | watchfor /FAILED su for root/ | ||
+ | exec echo "Subject: auth: FAILED su for root\n\n$_\n" | sendmail "sysadmin@mydomain.org;5555555555@txt.att.net" | ||
+ | |||
+ | FAILED su for root -- the regular expression to trigger on | ||
+ | exec -- executes an external command without stopping swatch to do it. In this case an echoed email piped into sendmail. | ||
+ | Subject: auth: FAILED su for root -- the email subject as postfix/sendmail expects it. You could add From, To, etc to make it more robust. | ||
+ | \n -- line feeds. I hope those are self-explanatory. | ||
+ | $_ -- prints the flagged log line, not $0 or $* as the man page states! | ||
+ | |||
Line 44: | Line 75: | ||
+ | |||
+ | |||
+ | |||
+ | swatch - Simple Log Analyzer | ||
+ | |||
+ | swatch is a perl program that can run as a daemon and continiously analyze log files for certain patterns to appear and then trigger an email notification. | ||
+ | |||
+ | You do definitley need a working MTA (e.g. dma or postfix) installed on ipfire for swatch to actually work. | ||
+ | |||
+ | Furthermore you need a configuration file that tells swatch for which patterns it should look out and which action to trigger. For Example sending email notification on SNORT prio 1 and 2 alerts, would look like this: | ||
+ | |||
+ | watchfor /Priority\: ([1|2])/ | ||
+ | echo=normal | ||
+ | mail=alerts@your.domain,subject=[SNORT] Priority $1 Alert | ||
+ | |||
+ | Put this config in a file, e.g. /var/ipfire/snort/swatchrc | ||
+ | |||
+ | Then tell swatch to start in daemon mode and read in the snort log file in “tail” mode. As SNORT alert log entries are multiline texts, seperated by 2 newlines, we also tell swatch to use the 2 new lines as a seperator: | ||
+ | |||
+ | /usr/bin/swatch --daemon -c /var/ipfire/snort/swatchrc --input-record-separator='\n\n' -t /var/log/snort/alert | ||
+ | |||
+ | To start this automatically at system startup, best put it in | ||
+ | |||
+ | /etc/sysconfig/rc.local | ||
+ | |||
+ | swatch, despite being named “simple” is a very powerful tool that can be used for all sorts of neat stuff. Here is another example about what can be done: | ||
Line 50: | Line 107: | ||
* https://www.safaribooksonline.com/library/view/snort-cookbook/0596007914/ch02s16.html | * https://www.safaribooksonline.com/library/view/snort-cookbook/0596007914/ch02s16.html | ||
+ | * http://wiki.ipfire.org/en/addons/swatch/start | ||
+ | * https://ubuntuforums.org/showthread.php?t=1035589 |
Latest revision as of 08:45, 2 April 2017
Sumber: https://www.safaribooksonline.com/library/view/snort-cookbook/0596007914/ch02s16.html
Since I had to piece this together from many sites, I'm adding this here in the interest of completeness:
If you need a more robust tool for and intrusion detection system (IDS), snort bundles swatch with other tools to provide a more comprehensive solution. I'm using swatch to monitor non-system application logs. Otherwise, you're probably reinventing the wheel.
The swatch command: Code:
swatch --config-file=swatch-auth.conf --tail-file=/var/log/auth.log --tail-args=--follow=name --daemon
swatch -- by itself uses the hidden ~.swatchrc file as its config file and the /var/logs/syslog as the tail file to watch. --config-file=<filename> -- tells swatch to use a different config file. --tail-file=<filename> -- tells swatch to use a different tail file (the log to watch). --tail-args=--follow=name -- tells the tail program to use the --follow=name argument instead of the -f argument. This keeps tail from "stopping" when the log rotates because tail --follow=name follows the filename, not the node id as tail -f does. Tail looks like it stopped because you're still tailing the old rolled off log file. This precludes the need to stop and start swatch for log rolling. --daemon -- tell swatch to run the process in the background so you don't have to leave it open in an authenticated terminal.
A sample config entry to send an email (using postfix's sendmail interface) and a text message (ATT -- look up your carrier) when someone tries to su to root:
Code:
watchfor /FAILED su for root/
exec echo "Subject: auth: FAILED su for root\n\n$_\n" | sendmail "sysadmin@mydomain.org;5555555555@txt.att.net"
FAILED su for root -- the regular expression to trigger on exec -- executes an external command without stopping swatch to do it. In this case an echoed email piped into sendmail. Subject: auth: FAILED su for root -- the email subject as postfix/sendmail expects it. You could add From, To, etc to make it more robust. \n -- line feeds. I hope those are self-explanatory. $_ -- prints the flagged log line, not $0 or $* as the man page states!
2.15. Logging to Email
Problem
You want to send your Snort logs to email. Solution
First, configure snort.conf to log alerts to syslog:
# alert_syslog: log alerts to syslog # ---------------------------------- # Use one or more syslog facilities as arguments. Win32 can also # optionally specify a particular hostname/port. Under Win32, the # default hostname is '127.0.0.1', and the default port is 514. # # [Unix flavours should use this format...] output alert_syslog: LOG_AUTH LOG_ALERT # # [Win32 can use any of these formats...] # output alert_syslog: LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
Snort sends alerts to the syslog file with the snort: prefix. Edit /.swatchrc to send an email when a Snort event is added to the syslog:
watchfor /snort:/ mail security@company.com,subject=Snort Alert!
Next, make sure you run Swatch to watch for syslog messages in /var/log/messages (some distributions use /var/log/syslog):
[root@localhost root]# swatch -t /var/log/messages
Lastly, run Snort in NIDS mode to use the snort.conf file to invoke the syslog output plug-in:
[root@localhost snort-2.2.x]# snort -l /var/log/snort -c /etc/snort.conf
Discussion
The easiest way to receive Snort alerts via email is to configure Swatch (available at http://swatch.sourceforge.net/) to monitor syslog and send an email when a Snort event is produced. Swatch is a log-monitoring utility that can filter messages from logfiles ...
swatch - Simple Log Analyzer
swatch is a perl program that can run as a daemon and continiously analyze log files for certain patterns to appear and then trigger an email notification.
You do definitley need a working MTA (e.g. dma or postfix) installed on ipfire for swatch to actually work.
Furthermore you need a configuration file that tells swatch for which patterns it should look out and which action to trigger. For Example sending email notification on SNORT prio 1 and 2 alerts, would look like this:
watchfor /Priority\: ([1|2])/ echo=normal mail=alerts@your.domain,subject=[SNORT] Priority $1 Alert
Put this config in a file, e.g. /var/ipfire/snort/swatchrc
Then tell swatch to start in daemon mode and read in the snort log file in “tail” mode. As SNORT alert log entries are multiline texts, seperated by 2 newlines, we also tell swatch to use the 2 new lines as a seperator:
/usr/bin/swatch --daemon -c /var/ipfire/snort/swatchrc --input-record-separator='\n\n' -t /var/log/snort/alert
To start this automatically at system startup, best put it in
/etc/sysconfig/rc.local
swatch, despite being named “simple” is a very powerful tool that can be used for all sorts of neat stuff. Here is another example about what can be done: