SNORT: email alert
Sumber: https://www.safaribooksonline.com/library/view/snort-cookbook/0596007914/ch02s16.html
2.15. Logging to Email Problem
You want to send your Snort logs to email. Solution
First, configure snort.conf to log alerts to syslog:
# alert_syslog: log alerts to syslog # ---------------------------------- # Use one or more syslog facilities as arguments. Win32 can also # optionally specify a particular hostname/port. Under Win32, the # default hostname is '127.0.0.1', and the default port is 514. # # [Unix flavours should use this format...] output alert_syslog: LOG_AUTH LOG_ALERT # # [Win32 can use any of these formats...] # output alert_syslog: LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
Snort sends alerts to the syslog file with the snort: prefix. Edit /.swatchrc to send an email when a Snort event is added to the syslog:
watchfor /snort:/ mail security@company.com,subject=Snort Alert!
Next, make sure you run Swatch to watch for syslog messages in /var/log/messages (some distributions use /var/log/syslog):
[root@localhost root]# swatch -t /var/log/messages
Lastly, run Snort in NIDS mode to use the snort.conf file to invoke the syslog output plug-in:
[root@localhost snort-2.2.x]# snort -l /var/log/snort -c /etc/snort.conf
Discussion
The easiest way to receive Snort alerts via email is to configure Swatch (available at http://swatch.sourceforge.net/) to monitor syslog and send an email when a Snort event is produced. Swatch is a log-monitoring utility that can filter messages from logfiles ...