Difference between revisions of "SNORT: email alert"

From OnnoWiki
Jump to navigation Jump to search
(Created page with "Sumber: https://www.safaribooksonline.com/library/view/snort-cookbook/0596007914/ch02s16.html 2.15. Logging to Email Problem You want to send your Snort logs to email. Sol...")
 
Line 44: Line 44:
  
  
 +
 +
 +
 +
swatch - Simple Log Analyzer
 +
 +
swatch is a perl program that can run as a daemon and continiously analyze log files for certain patterns to appear and then trigger an email notification.
 +
 +
You do definitley need a working MTA (e.g. dma or postfix) installed on ipfire for swatch to actually work.
 +
 +
Furthermore you need a configuration file that tells swatch for which patterns it should look out and which action to trigger. For Example sending email notification on SNORT prio 1 and 2 alerts, would look like this:
 +
 +
watchfor /Priority\: ([1|2])/
 +
echo=normal
 +
mail=alerts@your.domain,subject=[SNORT] Priority $1 Alert
 +
 +
Put this config in a file, e.g. /var/ipfire/snort/swatchrc
 +
 +
Then tell swatch to start in daemon mode and read in the snort log file in “tail” mode. As SNORT alert log entries are multiline texts, seperated by 2 newlines, we also tell swatch to use the 2 new lines as a seperator:
 +
 +
/usr/bin/swatch --daemon -c /var/ipfire/snort/swatchrc --input-record-separator='\n\n' -t /var/log/snort/alert
 +
 +
To start this automatically at system startup, best put it in
 +
 +
/etc/sysconfig/rc.local
 +
 +
swatch, despite being named “simple” is a very powerful tool that can be used for all sorts of neat stuff. Here is another example about what can be done:
  
  

Revision as of 08:26, 2 April 2017

Sumber: https://www.safaribooksonline.com/library/view/snort-cookbook/0596007914/ch02s16.html


2.15. Logging to Email Problem

You want to send your Snort logs to email. Solution

First, configure snort.conf to log alerts to syslog:

# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments.  Win32 can also
# optionally specify a particular hostname/port.  Under Win32, the
# default hostname is '127.0.0.1', and the default port is 514.
# 
# [Unix flavours should use this format...]
output alert_syslog: LOG_AUTH LOG_ALERT
#
# [Win32 can use any of these formats...]
# output alert_syslog: LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT

Snort sends alerts to the syslog file with the snort: prefix. Edit /.swatchrc to send an email when a Snort event is added to the syslog:

watchfor /snort:/
mail security@company.com,subject=Snort Alert!

Next, make sure you run Swatch to watch for syslog messages in /var/log/messages (some distributions use /var/log/syslog):

[root@localhost root]# swatch -t /var/log/messages

Lastly, run Snort in NIDS mode to use the snort.conf file to invoke the syslog output plug-in:

[root@localhost snort-2.2.x]# snort -l /var/log/snort -c /etc/snort.conf

Discussion

The easiest way to receive Snort alerts via email is to configure Swatch (available at http://swatch.sourceforge.net/) to monitor syslog and send an email when a Snort event is produced. Swatch is a log-monitoring utility that can filter messages from logfiles ...




swatch - Simple Log Analyzer

swatch is a perl program that can run as a daemon and continiously analyze log files for certain patterns to appear and then trigger an email notification.

You do definitley need a working MTA (e.g. dma or postfix) installed on ipfire for swatch to actually work.

Furthermore you need a configuration file that tells swatch for which patterns it should look out and which action to trigger. For Example sending email notification on SNORT prio 1 and 2 alerts, would look like this:

watchfor /Priority\: ([1|2])/
echo=normal
mail=alerts@your.domain,subject=[SNORT] Priority $1 Alert

Put this config in a file, e.g. /var/ipfire/snort/swatchrc

Then tell swatch to start in daemon mode and read in the snort log file in “tail” mode. As SNORT alert log entries are multiline texts, seperated by 2 newlines, we also tell swatch to use the 2 new lines as a seperator:

/usr/bin/swatch --daemon -c /var/ipfire/snort/swatchrc --input-record-separator='\n\n' -t /var/log/snort/alert

To start this automatically at system startup, best put it in

/etc/sysconfig/rc.local

swatch, despite being named “simple” is a very powerful tool that can be used for all sorts of neat stuff. Here is another example about what can be done:


Referensi