|
Home > Archive > Snort > September 2004 > [Snort-users] E-mail alerting
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[Snort-users] E-mail alerting
|
|
| Carlos M Ospina 2004-09-03, 7:45 am |
| This is a multipart message in MIME format.
--=_alternative 004AE59805256F04_=
Content-Type: text/plain; charset="US-ASCII"
Is there anyway to configure, with acid, automatic alerts by e-mail? is
ther eany manual about that?
Thanks in advance.
--=_alternative 004AE59805256F04_=
Content-Type: text/html; charset="US-ASCII"
<br><font size=2 face="sans-serif">Is there anyway to configure, with acid,
automatic alerts by e-mail? is ther eany manual about that?</font>
<br>
<br><font size=2 face="sans-serif">Thanks in advance.</font>
--=_alternative 004AE59805256F04_=--
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
|
|
| Esler, Joel - Contractor 2004-09-03, 5:46 pm |
| This is a multi-part message in MIME format.
------_=_NextPart_001_01C491BD.D28BD20A
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
swatch.
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Carlos M
Ospina
Sent: Friday, September 03, 2004 9:38 AM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] E-mail alerting
Is there anyway to configure, with acid, automatic alerts by e-mail? is
ther eany manual about that?=20
Thanks in advance.
------_=_NextPart_001_01C491BD.D28BD20A
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>
<META content=3D"MSHTML 6.00.2800.1458" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D592285613-03092004><FONT face=3DArial color=3D#0000ff =
size=3D2>swatch.</FONT></SPAN></DIV>
<BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B>=20
snort-users-admin@lists.sourceforge.net=20
[mailto:snort-users-admin@lists.sourceforge.net] <B>On Behalf Of =
</B>Carlos M=20
Ospina<BR><B>Sent:</B> Friday, September 03, 2004 9:38 =
AM<BR><B>To:</B>=20
snort-users@lists.sourceforge.net<BR><B>Subject:</B> [Snort-users] =
E-mail=20
alerting<BR><BR></FONT></DIV><BR><FONT face=3Dsans-serif size=3D2>Is =
there anyway=20
to configure, with acid, automatic alerts by e-mail? is ther eany =
manual about=20
that?</FONT> <BR><BR><FONT face=3Dsans-serif size=3D2>Thanks in=20
advance.</FONT></BLOCKQUOTE></BODY></HTML>
------_=_NextPart_001_01C491BD.D28BD20A--
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Harper, Patrick 2004-09-03, 5:46 pm |
| That is a three drink penalty 
http://www.theadamsfamily.net/~erek...ing_game.txt=20
-----Original Message-----
From: Carlos M Ospina [mailto:cospina@etek.com.co]=20
Sent: Friday, September 03, 2004 8:38 AM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] E-mail alerting
Is there anyway to configure, with acid, automatic alerts by e-mail? is
ther eany manual about that?=20
Thanks in advance.
Disclaimer:
This electronic message, including any attachments, is confidential and int=
ended solely for use of the intended recipient(s). This message may contain=
information that is privileged or otherwise protected from disclosure by a=
pplicable law. Any unauthorized disclosure, dissemination, use or reproduct=
ion is strictly prohibited. If you have received this message in error, ple=
ase delete it and notify the sender immediately.=20
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
|
|
|
| This is a multi-part message in MIME format.
------=_NextPart_000_016E_01C4926E.5B4F7B90
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hello Carlos,
You can use Swatch to get emails alerts from Snort.
Installing Swatch,is just a child's play,very easier.I have given below =
the necessary steps to configure Swatch.
Hope,this will be useful.If you have,any queries,you can write to =
me.............................
Prabu.S
########################################
#################################=
########################################
#######
CONFIGURATION STEPS TO SEND SNORT ALERTS AS E-MAIL:
To receives Snort alerts as E-mail, one can follow the following steps:
Swatch is the widely used Open Source tool to enable E =
mail alerts in Snort. Swatch is a utility that monitors system log =
files, filters out=20
unwanted data and takes specified actions (i.e., sending email, =
executing a script, etc.) based upon what it finds in the log files. So =
I have used=20
Swatch to configure snort to send the alerts as E-mail.
NOTE:
Here, it is considered that snort have been already installed on the =
host, in which this is to be tested.
[a] Swatch installation:
Download the swatch package, from =
http://sourceforge.net/project/show...roup_id=3D68627
To install, simply issue the following commands:=20
perl Makefile.PL
make
make test
make install
make realclean
=20
Swatch installs just like a CPAN module. If you are not familiar with =
this process then you may want to read about it by issuing the command:=20
man ExtUtils::MakeMaker
=20
Use the perldoc command if your man cannot find the document.=20
If you see messages like these:=20
Warning: prerequisite Date::Calc 0 not found at (eval 1) line 219.
Warning: prerequisite Date::Parse 0 not found at (eval 1) line 219.
Warning: prerequisite File::Tail 0 not found at (eval 1) line 219.
Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) line 219.
=20
Then you need to install the CPAN module(s) that it doesn't find, before =
you can use swatch.=20
You can find these modules at http://search.cpan.org/.=20
One must download following PERL modules from the site search.cpan.org
1.Bit-Vector-6.3 =20
2.Date-Calc-5.3 =20
3.DateManip-5.42a =20
4.File-Tail-0.98 =20
5.Time-HiRes-1.59 =20
6.TimeDate-1.16
To install these PERL modules,one can follow the same steps as said per =
Swatch,
They are,
perl Makefile.PL
make
make test
make install
make realclean
The Swatch binary will be installed at the /opt/perl/bin/ directory
Then create the swatch configuratiobn file.
cat /etc/swatchrc.txt
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
# Swatch configuration file
#
#
# swatch -c /etc/swatchrc -t /var/log/snort/alert=20
#
### Snort Alerts
## Watch for entries containing the word 'Priority' in the =
snort alert file.
## Display it in green on the screen
## Mail alert to alerts@yourdomain.com with subject of the email =
## being "----Snort IDS Alert----"
## Log in file /var/log/IDS-scans
watchfor /Priority/
echo green_h
mail addresses=3Dyouruseraccount@yourdomain.comt ,subject=3D--- =
Snort IDS Alert ---
exec echo $0 >> /var/log/IDS-scans
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
THE FINAL STEPS:
=20
[a] Start Snort in NIDS mode:
=20
#./snort -c /snort/iexpress/snort/etc/snort.conf -l /var/log/snort.
=20
[b] Start swatch:
cd /opt/perl/bin
#./swatch --config-file=3D/etc/swatchrc.txt=20
[c] Using Outlook Express:
=20
configure the User's POP3 account and you can recieve the emails send =
by Swatch for each alerts based on the patter=20
matching the "watchfor"=20
########################################
#################################=
#################################
Cheers,
Prabu.S
----- Original Message -----=20
From: Carlos M Ospina=20
To: snort-users@lists.sourceforge.net=20
Sent: Friday, September 03, 2004 7:08 PM
Subject: [Snort-users] E-mail alerting
Is there anyway to configure, with acid, automatic alerts by e-mail? =
is ther eany manual about that?=20
Thanks in advance.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.751 / Virus Database: 502 - Release Date: 9/2/2004
------=_NextPart_000_016E_01C4926E.5B4F7B90
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1458" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV>Hello Carlos,</DIV>
<DIV> =
You can=20
use <STRONG>Swatch</STRONG> to get emails alerts from Snort.</DIV>
<DIV> </DIV>
<DIV> Installing Swatch,is just a child's play,very easier.I =
have=20
given below the necessary steps to configure Swatch.</DIV>
<DIV>Hope,this will be useful.If you have,any queries,you can write to=20
me.............................</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Prabu.S</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> ########################################
############################=
########################################
############</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV align=3Dcenter><STRONG><U>CONFIGURATION STEPS TO SEND SNORT ALERTS =
AS=20
E-MAIL:</U></STRONG></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><STRONG>To receives Snort alerts as E-mail, one can follow the =
following=20
steps:</STRONG></DIV>
<DIV> </DIV>
<DIV> &n=
bsp; =20
Swatch is the widely used Open Source tool to enable E mail alerts in =
Snort.=20
Swatch is a utility that monitors system log files, filters out =
<BR>unwanted=20
data and takes specified actions (i.e., sending email, executing a =
script, etc.)=20
based upon what it finds in the log files. So I have used <BR>Swatch to=20
configure snort to send the alerts as E-mail.</DIV>
<DIV> </DIV>
<DIV><STRONG>NOTE:<BR></STRONG> Here, it is considered that snort =
have=20
been already installed on the host, in which this is to be tested.</DIV>
<DIV> </DIV>
<DIV>[a] Swatch installation:</DIV>
<DIV> </DIV>
<DIV>Download the swatch package, from <A=20
href=3D"http://sourceforge.net/project/showfiles.php?group_id=3D68627">ht=
tp://sourceforge.net/project/showfiles.php?group_id=3D68627</A><BR>To=20
install, simply issue the following commands: </DIV>
<DIV> </DIV>
<DIV> &n=
bsp; =20
perl=20
Makefile.PL<BR> &nbs=
p; =20
make<BR> =
; =20
make=20
test<BR> =
; =20
make=20
install<BR> &n=
bsp; =20
make realclean<BR> <BR>Swatch installs just like a =
CPAN=20
module. If you are not familiar with this process then you may want to =
read=20
about it by issuing the command: </DIV>
<DIV> </DIV>
<DIV>man ExtUtils::MakeMaker<BR> <BR>Use =
the=20
perldoc command if your man cannot find the document. </DIV>
<DIV> </DIV>
<DIV>If you see messages like these: </DIV>
<DIV> </DIV>
<DIV>Warning: prerequisite Date::Calc 0 not found at (eval 1) line=20
219.<BR>Warning: prerequisite Date::Parse 0 not found at (eval 1) line=20
219.<BR>Warning: prerequisite File::Tail 0 not found at (eval 1) line=20
219.<BR>Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) =
line=20
219.<BR> </DIV>
<DIV> </DIV>
<DIV>Then you need to install the CPAN module(s) that it doesn't find, =
before=20
you can use swatch. <BR>You can find these modules at <A=20
href=3D"http://search.cpan.org/">http://search.cpan.org/</A>. </DIV>
<DIV> </DIV>
<DIV>One must download following PERL modules from the site=20
search.cpan.org</DIV>
<DIV> </DIV>
<DIV> =20
1.Bit-Vector-6.3 =20
<BR> =20
2.Date-Calc-5.3 =20
<BR> =20
3.DateManip-5.42a =20
<BR> =20
4.File-Tail-0.98 =20
<BR> =20
5.Time-HiRes-1.59 =20
<BR> =20
6.TimeDate-1.16</DIV>
<DIV> </DIV>
<DIV>To install these PERL modules,one can follow the same steps as said =
per=20
Swatch,<BR>They are,</DIV>
<DIV> </DIV>
<DIV> &n=
bsp;=20
perl=20
Makefile.PL<BR> &nbs=
p; =20
make<BR> =
; =20
make=20
test<BR> =
; =20
make=20
install<BR> &n=
bsp; =20
make realclean</DIV>
<DIV> </DIV>
<DIV>The Swatch binary will be installed at the /opt/perl/bin/ =
directory</DIV>
<DIV> </DIV>
<DIV>Then create the swatch configuratiobn file.</DIV>
<DIV> </DIV>
<DIV>cat /etc/swatchrc.txt</DIV>
<DIV> </DIV>
<DIV> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR># Swatch=20
configuration file</DIV>
<DIV> </DIV>
<DIV> =20
#<BR> =20
#<BR> # swatch -c /etc/swatchrc -t=20
/var/log/snort/alert <BR> =20
#<BR> ### Snort=20
Alerts<BR> ## Watch for =
entries=20
containing the word 'Priority' in the snort alert=20
file.<BR> ## Display it in =
green on=20
the screen<BR> ## Mail alert =
to <A=20
href=3D"mailto:alerts@yourdomain.com">alerts@yourdomain.com</A> with =
subject of=20
the email <BR> ## being=20
"----Snort IDS Alert----"<BR> =
## Log=20
in file /var/log/IDS-scans</DIV>
<DIV> </DIV>
<DIV><BR> watchfor=20
/Priority/<BR> echo=20
green_h<BR> mail <A=20
href=3D" mailto:addresses=3Dyouruseraccount@yourd
omain.comt">addresses=3Dy=
ouruseraccount@yourdomain.comt</A>=20
,subject=3D--- Snort IDS Alert =
---<BR> exec=20
echo $0 >> /var/log/IDS-scans</DIV>
<DIV> </DIV>
<DIV>& amp;nbsp;=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D </DIV>
<DIV> </DIV>
<DIV><STRONG>THE FINAL STEPS:<BR></STRONG> <BR>[a] Start Snort in =
NIDS=20
mode:<BR> <BR> #./snort -c =
/snort/iexpress/snort/etc/snort.conf -l=20
/var/log/snort.<BR> =
=20
<BR>[b] Start swatch:</DIV>
<DIV> </DIV>
<DIV> cd /opt/perl/bin<BR> #./swatch =
--config-file=3D/etc/swatchrc.txt=20
</DIV>
<DIV> </DIV>
<DIV>[c] Using Outlook Express:<BR> <BR> =
configure the=20
User's POP3 account and you can recieve the emails send by Swatch for =
each=20
alerts based on the patter <BR> matching the "watchfor" =
</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> ########################################
############################=
######################################</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Cheers,</DIV>
<DIV>Prabu.S</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dcospina@etek.com.co =
href=3D"mailto:cospina@etek.com.co">Carlos M=20
Ospina</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
title=3Dsnort-users@lists.sourceforge.net=20
=
href=3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourc=
eforge.net</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Friday, September 03, =
2004 7:08=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> [Snort-users] E-mail=20
alerting</DIV>
<DIV><BR></DIV>
<DIV><BR><FONT face=3Dsans-serif size=3D2>Is there anyway to =
configure, with acid,=20
automatic alerts by e-mail? is ther eany manual about that?</FONT>=20
<BR><BR><FONT face=3Dsans-serif size=3D2>Thanks in =
advance.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3Dsans-serif size=3D2><BR>---<BR>Outgoing mail is =
certified Virus=20
Free.<BR>Checked by AVG anti-virus system (<A=20
=
href=3D"http://www.grisoft.com">http://www.grisoft.com</A> ).<BR>Version: =
6.0.751=20
/ Virus Database: 502 - Release Date:=20
9/2/2004</FONT></DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_016E_01C4926E.5B4F7B90--
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
|
| This is a multi-part message in MIME format.
------=_NextPart_000_000B_01C498FB.57790A20
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Hi Prabu,
Excellent post, it prompted me to check out swatch. I had to install the
CPAN mods and the only thing different was that I had to install
Time-HiRes-1.63 instead of
Time-HiRes-1.59
They all installed ok.
I'm trying to get swatch to read the config file. I followed the directions,
but I'm getting an error:
[root@tunes etc]# swatch --config-file=/etc/swatchrc.txt
Global symbol "@page55" requires explicit package name at
/root/.swatch_script.3238 line 125.
Execution of /root/.swatch_script.3238 aborted due to compilation errors.
I put the config file in /etc and copied it exactly from below, except of
course I inserted my own email address.
Do you know what this error means?
What is the meaning of the line: /root/.swatch_script.3238 line 125.
(specifically the /root/ part.)
Thanks,
Drew
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of prabu
Sent: Saturday, September 04, 2004 12:30 AM
To: snort-users@lists.sourceforge.net; Carlos M Ospina
Subject: Re: [Snort-users] E-mail alerting
Hello Carlos,
You can use Swatch to get emails alerts from Snort.
Installing Swatch,is just a child's play,very easier.I have given below
the necessary steps to configure Swatch.
Hope,this will be useful.If you have,any queries,you can write to
me.............................
Prabu.S
########################################
####################################
########################################
####
CONFIGURATION STEPS TO SEND SNORT ALERTS AS E-MAIL:
To receives Snort alerts as E-mail, one can follow the following steps:
Swatch is the widely used Open Source tool to enable E
mail alerts in Snort. Swatch is a utility that monitors system log files,
filters out
unwanted data and takes specified actions (i.e., sending email, executing
a script, etc.) based upon what it finds in the log files. So I have used
Swatch to configure snort to send the alerts as E-mail.
NOTE:
Here, it is considered that snort have been already installed on the
host, in which this is to be tested.
[a] Swatch installation:
Download the swatch package, from
http://sourceforge.net/project/show...?group_id=68627
To install, simply issue the following commands:
perl Makefile.PL
make
make test
make install
make realclean
Swatch installs just like a CPAN module. If you are not familiar with this
process then you may want to read about it by issuing the command:
man ExtUtils::MakeMaker
Use the perldoc command if your man cannot find the document.
If you see messages like these:
Warning: prerequisite Date::Calc 0 not found at (eval 1) line 219.
Warning: prerequisite Date::Parse 0 not found at (eval 1) line 219.
Warning: prerequisite File::Tail 0 not found at (eval 1) line 219.
Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) line 219.
Then you need to install the CPAN module(s) that it doesn't find, before
you can use swatch.
You can find these modules at http://search.cpan.org/.
One must download following PERL modules from the site search.cpan.org
1.Bit-Vector-6.3
2.Date-Calc-5.3
3.DateManip-5.42a
4.File-Tail-0.98
5.Time-HiRes-1.59
6.TimeDate-1.16
To install these PERL modules,one can follow the same steps as said per
Swatch,
They are,
perl Makefile.PL
make
make test
make install
make realclean
The Swatch binary will be installed at the /opt/perl/bin/ directory
Then create the swatch configuratiobn file.
cat /etc/swatchrc.txt
========================================
==================
# Swatch configuration file
#
#
# swatch -c /etc/swatchrc -t /var/log/snort/alert
#
### Snort Alerts
## Watch for entries containing the word 'Priority' in the snort
alert file.
## Display it in green on the screen
## Mail alert to alerts@yourdomain.com with subject of the email
## being "----Snort IDS Alert----"
## Log in file /var/log/IDS-scans
watchfor /Priority/
echo green_h
mail addresses=youruseraccount@yourdomain.comt ,subject=--- Snort
IDS Alert ---
exec echo $0 >> /var/log/IDS-scans
========================================
====================
THE FINAL STEPS:
[a] Start Snort in NIDS mode:
#./snort -c /snort/iexpress/snort/etc/snort.conf -l /var/log/snort.
[b] Start swatch:
cd /opt/perl/bin
#./swatch --config-file=/etc/swatchrc.txt
[c] Using Outlook Express:
configure the User's POP3 account and you can recieve the emails send
by Swatch for each alerts based on the patter
matching the "watchfor"
########################################
####################################
##############################
Cheers,
Prabu.S
----- Original Message -----
From: Carlos M Ospina
To: snort-users@lists.sourceforge.net
Sent: Friday, September 03, 2004 7:08 PM
Subject: [Snort-users] E-mail alerting
Is there anyway to configure, with acid, automatic alerts by e-mail? is
ther eany manual about that?
Thanks in advance.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.751 / Virus Database: 502 - Release Date: 9/2/2004
------=_NextPart_000_000B_01C498FB.57790A20
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1458" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial color=3D#0000ff =
size=3D2>Hi=20
Prabu,</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial color=3D#0000ff =
size=3D2>Excellent post, it prompted me to check out sw<SPAN=20
class=3D426510200-13092004>at</SPAN>ch. I had to install the CPAN mods =
and the=20
only thing different was that I had to install Time-HiRes-1.63 instead =
of=20
</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial color=3D#0000ff =
size=3D2>Time-HiRes-1.59</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial color=3D#0000ff =
size=3D2>They=20
all installed ok.</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial color=3D#0000ff =
size=3D2>I'm=20
trying to get swatch to read the config file. I followed the directions, =
but I'm=20
getting an error:</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial color=3D#0000ff =
size=3D2>[root@tunes etc]# swatch =
--config-file=3D/etc/swatchrc.txt<BR>Global symbol=20
"@page55" requires explicit package name at /root/.swatch_script.3238 =
line=20
125.<BR>Execution of /root/.swatch_script.3238 aborted due to =
compilation=20
errors.</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial color=3D#0000ff =
size=3D2>I put=20
the config file in /etc and copied it exactly from below, except of =
course I=20
inserted my own email address.</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial color=3D#0000ff =
size=3D2>Do you=20
know what this error means?</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial color=3D#0000ff =
size=3D2>What=20
is the meaning of the line: /root/.swatch_script.3238 line 125. =20
(specifically the /root/ part.)<BR></FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial color=3D#0000ff =
size=3D2>Thanks,</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial color=3D#0000ff =
size=3D2>Drew</FONT></SPAN></DIV></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B>=20
snort-users-admin@lists.sourceforge.net=20
[mailto:snort-users-admin@lists.sourceforge.net]<B>On Behalf Of=20
</B>prabu<BR><B>Sent:</B> Saturday, September 04, 2004 12:30 =
AM<BR><B>To:</B>=20
snort-users@lists.sourceforge.net; Carlos M Ospina<BR><B>Subject:</B> =
Re:=20
[Snort-users] E-mail alerting<BR><BR></FONT></DIV>
<DIV>Hello Carlos,</DIV>
=
<DIV> =
You=20
can use <STRONG>Swatch</STRONG> to get emails alerts from Snort.</DIV>
<DIV> </DIV>
<DIV> Installing Swatch,is just a child's play,very easier.I =
have=20
given below the necessary steps to configure Swatch.</DIV>
<DIV>Hope,this will be useful.If you have,any queries,you can write to =
me.............................</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Prabu.S</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
=
<DIV> ########################################
############################=
########################################
############</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV align=3Dcenter><STRONG><U>CONFIGURATION STEPS TO SEND SNORT =
ALERTS AS=20
E-MAIL:</U></STRONG></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><STRONG>To receives Snort alerts as E-mail, one can follow the =
following=20
steps:</STRONG></DIV>
<DIV> </DIV>
=
<DIV> &n=
bsp; =20
Swatch is the widely used Open Source tool to enable E mail alerts in =
Snort.=20
Swatch is a utility that monitors system log files, filters out =
<BR>unwanted=20
data and takes specified actions (i.e., sending email, executing a =
script,=20
etc.) based upon what it finds in the log files. So I have used =
<BR>Swatch to=20
configure snort to send the alerts as E-mail.</DIV>
<DIV> </DIV>
<DIV><STRONG>NOTE:<BR></STRONG> Here, it is considered that =
snort have=20
been already installed on the host, in which this is to be =
tested.</DIV>
<DIV> </DIV>
<DIV>[a] Swatch installation:</DIV>
<DIV> </DIV>
<DIV>Download the swatch package, from <A=20
=
href=3D"http://sourceforge.net/project/showfiles.php?group_id=3D68627">ht=
tp://sourceforge.net/project/showfiles.php?group_id=3D68627</A><BR>To=20
install, simply issue the following commands: </DIV>
<DIV> </DIV>
=
<DIV> &n=
bsp; =20
perl=20
=
Makefile.PL<BR> &nbs=
p; =20
=
make<BR> =
; =20
make=20
=
test<BR> =
; =20
make=20
=
install<BR> &n=
bsp; =20
make realclean<BR> <BR>Swatch installs just like a =
CPAN=20
module. If you are not familiar with this process then you may want to =
read=20
about it by issuing the command: </DIV>
<DIV> </DIV>
<DIV>man ExtUtils::MakeMaker<BR> <BR>Use =
the=20
perldoc command if your man cannot find the document. </DIV>
<DIV> </DIV>
<DIV>If you see messages like these: </DIV>
<DIV> </DIV>
<DIV>Warning: prerequisite Date::Calc 0 not found at (eval 1) line=20
219.<BR>Warning: prerequisite Date::Parse 0 not found at (eval 1) line =
219.<BR>Warning: prerequisite File::Tail 0 not found at (eval 1) line=20
219.<BR>Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) =
line=20
219.<BR> </DIV>
<DIV> </DIV>
<DIV>Then you need to install the CPAN module(s) that it doesn't find, =
before=20
you can use swatch. <BR>You can find these modules at <A=20
href=3D"http://search.cpan.org/">http://search.cpan.org/</A>. </DIV>
<DIV> </DIV>
<DIV>One must download following PERL modules from the site=20
search.cpan.org</DIV>
<DIV> </DIV>
=
<DIV> =20
1.Bit-Vector-6.3 =20
<BR> =
2.Date-Calc-5.3 =20
<BR> =
3.DateManip-5.42a =20
<BR> =
4.File-Tail-0.98 =20
<BR> =
5.Time-HiRes-1.59 =20
<BR> =
6.TimeDate-1.16</DIV>
<DIV> </DIV>
<DIV>To install these PERL modules,one can follow the same steps as =
said per=20
Swatch,<BR>They are,</DIV>
<DIV> </DIV>
=
<DIV> &n=
bsp;=20
perl=20
=
Makefile.PL<BR> &nbs=
p; =20
=
make<BR> =
; =20
make=20
=
test<BR> =
; =20
make=20
=
install<BR> &n=
bsp; =20
make realclean</DIV>
<DIV> </DIV>
<DIV>The Swatch binary will be installed at the /opt/perl/bin/ =
directory</DIV>
<DIV> </DIV>
<DIV>Then create the swatch configuratiobn file.</DIV>
<DIV> </DIV>
<DIV>cat /etc/swatchrc.txt</DIV>
<DIV> </DIV>
=
<DIV> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR># Swatch=20
configuration file</DIV>
<DIV> </DIV>
<DIV> =20
#<BR> =20
#<BR> # swatch -c /etc/swatchrc -t =
/var/log/snort/alert <BR> =20
#<BR> ### Snort=20
Alerts<BR> ## Watch for =
entries=20
containing the word 'Priority' in the snort alert=20
file.<BR> ## Display it in =
green on=20
the screen<BR> ## Mail alert =
to <A=20
href=3D"mailto:alerts@yourdomain.com">alerts@yourdomain.com</A> with =
subject of=20
the email <BR> ## =
being=20
"----Snort IDS Alert----"<BR> =
## Log=20
in file /var/log/IDS-scans</DIV>
<DIV> </DIV>
<DIV><BR> watchfor=20
/Priority/<BR> echo=20
green_h<BR> mail <A=20
=
href=3D" mailto:addresses=3Dyouruseraccount@yourd
omain.comt">addresses=3Dy=
ouruseraccount@yourdomain.comt</A>=20
,subject=3D--- Snort IDS Alert =
---<BR> exec=20
echo $0 >> /var/log/IDS-scans</DIV>
<DIV> </DIV>
=
<DIV>& amp;nbsp;=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D </DIV>
<DIV> </DIV>
<DIV><STRONG>THE FINAL STEPS:<BR></STRONG> <BR>[a] Start Snort in =
NIDS=20
mode:<BR> <BR> #./snort -c =
/snort/iexpress/snort/etc/snort.conf -l=20
=
/var/log/snort.<BR> =
=20
<BR>[b] Start swatch:</DIV>
<DIV> </DIV>
<DIV> cd /opt/perl/bin<BR> #./swatch=20
--config-file=3D/etc/swatchrc.txt </DIV>
<DIV> </DIV>
<DIV>[c] Using Outlook Express:<BR> <BR> =
configure the=20
User's POP3 account and you can recieve the emails send by Swatch for =
each=20
alerts based on the patter <BR> matching the "watchfor" =
</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
=
<DIV> ########################################
############################=
######################################</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Cheers,</DIV>
<DIV>Prabu.S</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dcospina@etek.com.co =
href=3D"mailto:cospina@etek.com.co">Carlos M=20
Ospina</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
title=3Dsnort-users@lists.sourceforge.net=20
=
href=3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourc=
eforge.net</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Friday, September 03, =
2004 7:08=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> [Snort-users] E-mail =
alerting</DIV>
<DIV><BR></DIV>
<DIV><BR><FONT face=3Dsans-serif size=3D2>Is there anyway to =
configure, with=20
acid, automatic alerts by e-mail? is ther eany manual about =
that?</FONT>=20
<BR><BR><FONT face=3Dsans-serif size=3D2>Thanks in =
advance.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3Dsans-serif size=3D2><BR>---<BR>Outgoing mail is =
certified=20
Virus Free.<BR>Checked by AVG anti-virus system (<A=20
=
href=3D"http://www.grisoft.com">http://www.grisoft.com</A> ).<BR>Version: =
6.0.751 / Virus Database: 502 - Release Date:=20
9/2/2004</FONT></DIV></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_000B_01C498FB.57790A20--
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| M Shirk 2004-09-13, 5:46 pm |
| Swatch creates files for the user who is running swatch. So if you start
swatch as root, it checks /root/.swatchrc for your configuration and creates
the .script files.
Someone else could verify this but I think it compiles the PERL script with
your configuration options in the .swatchrc file.
The Global symbol error is a PERL error, check your .swatchrc file and look
for @page55, and check the actual Swatch script for this string. It may be a
here document or some formatting that is messed up and being interpreted as
code.
Shirkdog
http://www.shirkdog.us
>From: "Andy" <andy@page55.com>
>To: "prabu" <prabu333@hotpop.com>,<snort-users@lists.sourceforge.net>
>Subject: RE: [Snort-users] E-mail alerting
>Date: Sun, 12 Sep 2004 19:04:34 -0500
>
>Hi Prabu,
>
>Excellent post, it prompted me to check out swatch. I had to install the
>CPAN mods and the only thing different was that I had to install
>Time-HiRes-1.63 instead of
>Time-HiRes-1.59
>
>They all installed ok.
>
>I'm trying to get swatch to read the config file. I followed the
>directions,
>but I'm getting an error:
>
>[root@tunes etc]# swatch --config-file=/etc/swatchrc.txt
>Global symbol "@page55" requires explicit package name at
>/root/.swatch_script.3238 line 125.
>Execution of /root/.swatch_script.3238 aborted due to compilation errors.
>
>I put the config file in /etc and copied it exactly from below, except of
>course I inserted my own email address.
>
>Do you know what this error means?
>
>What is the meaning of the line: /root/.swatch_script.3238 line 125.
>(specifically the /root/ part.)
>
>Thanks,
>
>Drew
> -----Original Message-----
> From: snort-users-admin@lists.sourceforge.net
>[mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of prabu
> Sent: Saturday, September 04, 2004 12:30 AM
> To: snort-users@lists.sourceforge.net; Carlos M Ospina
> Subject: Re: [Snort-users] E-mail alerting
>
>
> Hello Carlos,
> You can use Swatch to get emails alerts from Snort.
>
> Installing Swatch,is just a child's play,very easier.I have given below
>the necessary steps to configure Swatch.
> Hope,this will be useful.If you have,any queries,you can write to
>me.............................
>
>
> Prabu.S
>
>
>
>
> ########################################
####################################
> ########################################
####
>
>
>
> CONFIGURATION STEPS TO SEND SNORT ALERTS AS E-MAIL:
>
>
>
> To receives Snort alerts as E-mail, one can follow the following steps:
>
> Swatch is the widely used Open Source tool to enable E
>mail alerts in Snort. Swatch is a utility that monitors system log files,
>filters out
> unwanted data and takes specified actions (i.e., sending email,
>executing
>a script, etc.) based upon what it finds in the log files. So I have used
> Swatch to configure snort to send the alerts as E-mail.
>
> NOTE:
> Here, it is considered that snort have been already installed on the
>host, in which this is to be tested.
>
> [a] Swatch installation:
>
> Download the swatch package, from
>http://sourceforge.net/project/show...?group_id=68627
> To install, simply issue the following commands:
>
> PERL Makefile.PL
> make
> make test
> make install
> make realclean
>
> Swatch installs just like a CPAN module. If you are not familiar with
>this
>process then you may want to read about it by issuing the command:
>
> man ExtUtils::MakeMaker
>
> Use the perldoc command if your man cannot find the document.
>
> If you see messages like these:
>
> Warning: prerequisite Date::Calc 0 not found at (eval 1) line 219.
> Warning: prerequisite Date::Parse 0 not found at (eval 1) line 219.
> Warning: prerequisite File::Tail 0 not found at (eval 1) line 219.
> Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) line 219.
>
>
> Then you need to install the CPAN module(s) that it doesn't find, before
>you can use swatch.
> You can find these modules at http://search.cpan.org/.
>
> One must download following PERL modules from the site search.cpan.org
>
> 1.Bit-Vector-6.3
> 2.Date-Calc-5.3
> 3.DateManip-5.42a
> 4.File-Tail-0.98
> 5.Time-HiRes-1.59
> 6.TimeDate-1.16
>
> To install these PERL modules,one can follow the same steps as said per
>Swatch,
> They are,
>
> PERL Makefile.PL
> make
> make test
> make install
> make realclean
>
> The Swatch binary will be installed at the /opt/perl/bin/ directory
>
> Then create the swatch configuratiobn file.
>
> cat /etc/swatchrc.txt
>
> ========================================
==================
> # Swatch configuration file
>
> #
> #
> # swatch -c /etc/swatchrc -t /var/log/snort/alert
> #
> ### Snort Alerts
> ## Watch for entries containing the word 'Priority' in the
>snort
>alert file.
> ## Display it in green on the screen
> ## Mail alert to alerts@yourdomain.com with subject of the email
> ## being "----Snort IDS Alert----"
> ## Log in file /var/log/IDS-scans
>
>
> watchfor /Priority/
> echo green_h
> mail addresses=youruseraccount@yourdomain.comt ,subject=--- Snort
>IDS Alert ---
> exec echo $0 >> /var/log/IDS-scans
>
> ========================================
====================
>
> THE FINAL STEPS:
>
> [a] Start Snort in NIDS mode:
>
> #./snort -c /snort/iexpress/snort/etc/snort.conf -l /var/log/snort.
>
> [b] Start swatch:
>
> cd /opt/perl/bin
> #./swatch --config-file=/etc/swatchrc.txt
>
> [c] Using Outlook Express:
>
> configure the User's POP3 account and you can recieve the emails send
>by Swatch for each alerts based on the patter
> matching the "watchfor"
>
>
>
>
> ########################################
####################################
>##############################
>
>
> Cheers,
> Prabu.S
>
>
>
>
>
> ----- Original Message -----
> From: Carlos M Ospina
> To: snort-users@lists.sourceforge.net
> Sent: Friday, September 03, 2004 7:08 PM
> Subject: [Snort-users] E-mail alerting
>
>
>
> Is there anyway to configure, with acid, automatic alerts by e-mail?
>is
>ther eany manual about that?
>
> Thanks in advance.
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.751 / Virus Database: 502 - Release Date: 9/2/2004
________________________________________
_________________________
Don’t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/...6ave/direct/01/
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
|
| This is a multi-part message in MIME format.
------=_NextPart_000_02C1_01C49A4F.4E972A40
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hi Andy,
I was busy with my work for past three days,I didn't even check =
snort list.Just now,I checked my mails,saw ur request.Well,I could not =
get into a conclusion,what might be the error.Send the line in ur =
script(ie,/root/.swatch_script.3238 ),where the error points out.I =
think,the mail-id was the problem=20
for the error.
First,R u running snort on "page555" server or "tunes" server.What is =
the hostname of the machine,where u have installed Snort and Swatch.
See,u can send alerts to the useraccounts on the machine,where u have =
installed all thoses stuffs.So change the email-id in the configuration =
file.
This would help U,I hope.
NOTE:
/root/.swatch_script.3238 ----.this is the script that is generated =
automatically,while running swatch.
Cheers,
Prabu.S
----- Original Message -----=20
From: Andy=20
To: prabu ; snort-users@lists.sourceforge.net=20
Sent: Monday, September 13, 2004 5:34 AM
Subject: RE: [Snort-users] E-mail alerting
Hi Prabu,
Excellent post, it prompted me to check out swatch. I had to install =
the CPAN mods and the only thing different was that I had to install =
Time-HiRes-1.63 instead of=20
Time-HiRes-1.59
They all installed ok.
I'm trying to get swatch to read the config file. I followed the =
directions, but I'm getting an error:
[root@tunes etc]# swatch --config-file=3D/etc/swatchrc.txt
Global symbol "@page55" requires explicit package name at =
/root/.swatch_script.3238 line 125.
Execution of /root/.swatch_script.3238 aborted due to compilation =
errors.
I put the config file in /etc and copied it exactly from below, except =
of course I inserted my own email address.
Do you know what this error means?
What is the meaning of the line: /root/.swatch_script.3238 line 125. =
(specifically the /root/ part.)
Thanks,
Drew
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net =
[mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of prabu
Sent: Saturday, September 04, 2004 12:30 AM
To: snort-users@lists.sourceforge.net; Carlos M Ospina
Subject: Re: [Snort-users] E-mail alerting
Hello Carlos,
You can use Swatch to get emails alerts from Snort.
Installing Swatch,is just a child's play,very easier.I have given =
below the necessary steps to configure Swatch.
Hope,this will be useful.If you have,any queries,you can write to =
me.............................
Prabu.S
=
########################################
#################################=
########################################
#######
CONFIGURATION STEPS TO SEND SNORT ALERTS AS E-MAIL:
To receives Snort alerts as E-mail, one can follow the following =
steps:
Swatch is the widely used Open Source tool to =
enable E mail alerts in Snort. Swatch is a utility that monitors system =
log files, filters out=20
unwanted data and takes specified actions (i.e., sending email, =
executing a script, etc.) based upon what it finds in the log files. So =
I have used=20
Swatch to configure snort to send the alerts as E-mail.
NOTE:
Here, it is considered that snort have been already installed on =
the host, in which this is to be tested.
[a] Swatch installation:
Download the swatch package, from =
http://sourceforge.net/project/show...roup_id=3D68627
To install, simply issue the following commands:=20
perl Makefile.PL
make
make test
make install
make realclean
=20
Swatch installs just like a CPAN module. If you are not familiar =
with this process then you may want to read about it by issuing the =
command:=20
man ExtUtils::MakeMaker
=20
Use the perldoc command if your man cannot find the document.=20
If you see messages like these:=20
Warning: prerequisite Date::Calc 0 not found at (eval 1) line 219.
Warning: prerequisite Date::Parse 0 not found at (eval 1) line 219.
Warning: prerequisite File::Tail 0 not found at (eval 1) line 219.
Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) line =
219.
=20
Then you need to install the CPAN module(s) that it doesn't find, =
before you can use swatch.=20
You can find these modules at http://search.cpan.org/.=20
One must download following PERL modules from the site =
search.cpan.org
1.Bit-Vector-6.3 =20
2.Date-Calc-5.3 =20
3.DateManip-5.42a =20
4.File-Tail-0.98 =20
5.Time-HiRes-1.59 =20
6.TimeDate-1.16
To install these PERL modules,one can follow the same steps as said =
per Swatch,
They are,
perl Makefile.PL
make
make test
make install
make realclean
The Swatch binary will be installed at the /opt/perl/bin/ directory
Then create the swatch configuratiobn file.
cat /etc/swatchrc.txt
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
# Swatch configuration file
#
#
# swatch -c /etc/swatchrc -t /var/log/snort/alert=20
#
### Snort Alerts
## Watch for entries containing the word 'Priority' in the =
snort alert file.
## Display it in green on the screen
## Mail alert to alerts@yourdomain.com with subject of the =
email=20
## being "----Snort IDS Alert----"
## Log in file /var/log/IDS-scans
watchfor /Priority/
echo green_h
mail addresses=3Dyouruseraccount@yourdomain.comt =
,subject=3D--- Snort IDS Alert ---
exec echo $0 >> /var/log/IDS-scans
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
THE FINAL STEPS:
=20
[a] Start Snort in NIDS mode:
=20
#./snort -c /snort/iexpress/snort/etc/snort.conf -l =
/var/log/snort.
=20
[b] Start swatch:
cd /opt/perl/bin
#./swatch --config-file=3D/etc/swatchrc.txt=20
[c] Using Outlook Express:
=20
configure the User's POP3 account and you can recieve the emails =
send by Swatch for each alerts based on the patter=20
matching the "watchfor"=20
=
########################################
#################################=
#################################
Cheers,
Prabu.S
----- Original Message -----=20
From: Carlos M Ospina=20
To: snort-users@lists.sourceforge.net=20
Sent: Friday, September 03, 2004 7:08 PM
Subject: [Snort-users] E-mail alerting
Is there anyway to configure, with acid, automatic alerts by =
e-mail? is ther eany manual about that?=20
Thanks in advance.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.751 / Virus Database: 502 - Release Date: 9/2/2004
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.760 / Virus Database: 509 - Release Date: 9/10/2004
------=_NextPart_000_02C1_01C49A4F.4E972A40
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2180" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV>
<DIV>Hi Andy,</DIV>
<DIV> I was busy with my work for past =
three=20
days,I didn't even check snort list.Just now,I checked my mails,saw ur=20
request.Well,I could not get into a conclusion,what might be the =
error.Send the=20
line in ur script(ie,<FONT face=3DArial color=3D#0000ff=20
size=3D2>/root/.swatch_script.3238 <FONT face=3D"Times New Roman" =
color=3D#000000=20
size=3D3> )</FONT></FONT>,where the error points out.I think,the mail-id =
was the=20
problem </DIV>
<DIV>for the error.</DIV>
<DIV> </DIV>
<DIV>First,R u running snort on "page555" server or "tunes" server.What =
is the=20
hostname of the machine,where u have installed Snort and Swatch.</DIV>
<DIV>See,u can send alerts to the useraccounts on the machine,where u =
have=20
installed all thoses stuffs.So change the email-id in the configuration=20
file.</DIV>
<DIV>This would help U,I hope.<BR></DIV>
<DIV>NOTE:</DIV>
<DIV><FONT face=3DArial color=3D#0000ff =
size=3D2>/root/.swatch_script.3238 =20
----.this is the script that is generated automatically,while running=20
swatch.</FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Cheers,</DIV>
<DIV>Prabu.S</DIV></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dandy@page55.com href=3D"mailto:andy@page55.com">Andy</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dprabu333@hotpop.com=20
href=3D"mailto:prabu333@hotpop.com">prabu</A> ; <A=20
title=3Dsnort-users@lists.sourceforge.net=20
=
href=3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourc=
eforge.net</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Monday, September 13, =
2004 5:34=20
AM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> RE: [Snort-users] =
E-mail=20
alerting</DIV>
<DIV><BR></DIV>
<DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff size=3D2>Hi=20
Prabu,</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Excellent post, it prompted me to check out sw<SPAN=20
class=3D426510200-13092004>at</SPAN>ch. I had to install the CPAN mods =
and the=20
only thing different was that I had to install Time-HiRes-1.63 instead =
of=20
</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Time-HiRes-1.59</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff size=3D2>They=20
all installed ok.</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff size=3D2>I'm=20
trying to get swatch to read the config file. I followed the =
directions, but=20
I'm getting an error:</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>[root@tunes etc]# swatch =
--config-file=3D/etc/swatchrc.txt<BR>Global=20
symbol "@page55" requires explicit package name at =
/root/.swatch_script.3238=20
line 125.<BR>Execution of /root/.swatch_script.3238 aborted due to =
compilation=20
errors.</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff size=3D2>I=20
put the config file in /etc and copied it exactly from below, except =
of course=20
I inserted my own email address.</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff size=3D2>Do=20
you know what this error means?</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff size=3D2>What=20
is the meaning of the line: /root/.swatch_script.3238 line 125. =20
(specifically the /root/ part.)<BR></FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Thanks,</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Drew</FONT></SPAN></DIV></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B>=20
snort-users-admin@lists.sourceforge.net=20
[mailto:snort-users-admin@lists.sourceforge.net]<B>On Behalf Of=20
</B>prabu<BR><B>Sent:</B> Saturday, September 04, 2004 12:30=20
AM<BR><B>To:</B> snort-users@lists.sourceforge.net; Carlos M=20
Ospina<BR><B>Subject:</B> Re: [Snort-users] E-mail=20
alerting<BR><BR></FONT></DIV>
<DIV>Hello Carlos,</DIV>
=
<DIV> =
You=20
can use <STRONG>Swatch</STRONG> to get emails alerts from =
Snort.</DIV>
<DIV> </DIV>
<DIV> Installing Swatch,is just a child's play,very =
easier.I have=20
given below the necessary steps to configure Swatch.</DIV>
<DIV>Hope,this will be useful.If you have,any queries,you can write =
to=20
me.............................</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Prabu.S</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
=
<DIV> ########################################
############################=
########################################
############</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV align=3Dcenter><STRONG><U>CONFIGURATION STEPS TO SEND SNORT =
ALERTS AS=20
E-MAIL:</U></STRONG></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><STRONG>To receives Snort alerts as E-mail, one can follow the=20
following steps:</STRONG></DIV>
<DIV> </DIV>
=
<DIV> &n=
bsp; =20
Swatch is the widely used Open Source tool to enable E mail alerts =
in Snort.=20
Swatch is a utility that monitors system log files, filters out =
<BR>unwanted=20
data and takes specified actions (i.e., sending email, executing a =
script,=20
etc.) based upon what it finds in the log files. So I have used =
<BR>Swatch=20
to configure snort to send the alerts as E-mail.</DIV>
<DIV> </DIV>
<DIV><STRONG>NOTE:<BR></STRONG> Here, it is considered that =
snort have=20
been already installed on the host, in which this is to be =
tested.</DIV>
<DIV> </DIV>
<DIV>[a] Swatch installation:</DIV>
<DIV> </DIV>
<DIV>Download the swatch package, from <A=20
=
href=3D"http://sourceforge.net/project/showfiles.php?group_id=3D68627">ht=
tp://sourceforge.net/project/showfiles.php?group_id=3D68627</A><BR>To=20
install, simply issue the following commands: </DIV>
<DIV> </DIV>
=
<DIV> &n=
bsp; =20
perl=20
=
Makefile.PL<BR> &nbs=
p; =20
=
make<BR> =
; =20
make=20
=
test<BR> =
; =20
make=20
=
install<BR> &n=
bsp; =20
make realclean<BR> <BR>Swatch installs just like a =
CPAN=20
module. If you are not familiar with this process then you may want =
to read=20
about it by issuing the command: </DIV>
<DIV> </DIV>
<DIV>man ExtUtils::MakeMaker<BR> =
<BR>Use the=20
perldoc command if your man cannot find the document. </DIV>
<DIV> </DIV>
<DIV>If you see messages like these: </DIV>
<DIV> </DIV>
<DIV>Warning: prerequisite Date::Calc 0 not found at (eval 1) line=20
219.<BR>Warning: prerequisite Date::Parse 0 not found at (eval 1) =
line=20
219.<BR>Warning: prerequisite File::Tail 0 not found at (eval 1) =
line=20
219.<BR>Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) =
line=20
219.<BR> </DIV>
<DIV> </DIV>
<DIV>Then you need to install the CPAN module(s) that it doesn't =
find,=20
before you can use swatch. <BR>You can find these modules at <A=20
href=3D"http://search.cpan.org/">http://search.cpan.org/</A>. </DIV>
<DIV> </DIV>
<DIV>One must download following PERL modules from the site=20
search.cpan.org</DIV>
<DIV> </DIV>
=
<DIV> =20
1.Bit-Vector-6.3 =20
=
<BR> =20
2.Date-Calc-5.3 =20
=
<BR> =20
3.DateManip-5.42a =20
=
<BR> =20
4.File-Tail-0.98 =20
=
<BR> =20
5.Time-HiRes-1.59 =20
=
<BR> =20
6.TimeDate-1.16</DIV>
<DIV> </DIV>
<DIV>To install these PERL modules,one can follow the same steps as =
said per=20
Swatch,<BR>They are,</DIV>
<DIV> </DIV>
=
<DIV> &n=
bsp;=20
perl=20
=
Makefile.PL<BR> &nbs=
p; =20
=
make<BR> =
; =20
make=20
=
test<BR> =
; =20
make=20
=
install<BR> &n=
bsp; =20
make realclean</DIV>
<DIV> </DIV>
<DIV>The Swatch binary will be installed at the /opt/perl/bin/=20
directory</DIV>
<DIV> </DIV>
<DIV>Then create the swatch configuratiobn file.</DIV>
<DIV> </DIV>
<DIV>cat /etc/swatchrc.txt</DIV>
<DIV> </DIV>
=
<DIV> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR># Swatch=20
configuration file</DIV>
<DIV> </DIV>
<DIV> =20
#<BR> =20
#<BR> # swatch -c /etc/swatchrc =
-t=20
/var/log/snort/alert <BR> =20
#<BR> ### Snort=20
Alerts<BR> ## Watch for =
entries=20
containing the word 'Priority' in the snort alert=20
file.<BR> ## Display it in =
green=20
on the screen<BR> ## Mail =
alert to=20
<A href=3D"mailto:alerts@yourdomain.com">alerts@yourdomain.com</A> =
with=20
subject of the email <BR> =
## =20
being "----Snort IDS =
Alert----"<BR> =20
## Log in file /var/log/IDS-scans</DIV>
<DIV> </DIV>
<DIV><BR> watchfor=20
/Priority/<BR> echo=20
green_h<BR> mail <A=20
=
href=3D" mailto:addresses=3Dyouruseraccount@yourd
omain.comt">addresses=3Dy=
ouruseraccount@yourdomain.comt</A>=20
,subject=3D--- Snort IDS Alert =
---<BR> =20
exec echo $0 >> /var/log/IDS-scans</DIV>
<DIV> </DIV>
=
<DIV>& amp;nbsp;=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=20
</DIV>
<DIV> </DIV>
<DIV><STRONG>THE FINAL STEPS:<BR></STRONG> <BR>[a] Start Snort =
in NIDS=20
mode:<BR> <BR> #./snort -c =
/snort/iexpress/snort/etc/snort.conf=20
-l=20
=
/var/log/snort.<BR> =
=20
<BR>[b] Start swatch:</DIV>
<DIV> </DIV>
<DIV> cd /opt/perl/bin<BR> #./swatch=20
--config-file=3D/etc/swatchrc.txt </DIV>
<DIV> </DIV>
<DIV>[c] Using Outlook Express:<BR> <BR> =
configure=20
the User's POP3 account and you can recieve the emails send by =
Swatch for=20
each alerts based on the patter <BR> matching the =
"watchfor"=20
</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
=
<DIV> ########################################
############################=
######################################</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Cheers,</DIV>
<DIV>Prabu.S</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- =
</DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dcospina@etek.com.co =
href=3D"mailto:cospina@etek.com.co">Carlos M=20
Ospina</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
title=3Dsnort-users@lists.sourceforge.net=20
=
href=3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourc=
eforge.net</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Friday, September 03, =
2004 7:08=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> [Snort-users] =
E-mail=20
alerting</DIV>
<DIV><BR></DIV>
<DIV><BR><FONT face=3Dsans-serif size=3D2>Is there anyway to =
configure, with=20
acid, automatic alerts by e-mail? is ther eany manual about =
that?</FONT>=20
<BR><BR><FONT face=3Dsans-serif size=3D2>Thanks in =
advance.</FONT></DIV>
<DIV> </DIV><FONT face=3Dsans-serif size=3D2>
<DIV><BR>---<BR>Outgoing mail is certified Virus Free.<BR>Checked =
by AVG=20
anti-virus system (<A=20
=
href=3D"http://www.grisoft.com">http://www.grisoft.com</A> ).<BR>Version: =
6.0.751 / Virus Database: 502 - Release Date: 9/2/2004</DIV>
<DIV> </DIV>
<DIV><BR>---<BR>Outgoing mail is certified Virus Free.<BR>Checked =
by AVG=20
anti-virus system (<A=20
=
href=3D"http://www.grisoft.com">http://www.grisoft.com</A> ).<BR>Version: =
6.0.760 / Virus Database: 509 - Release Date:=20
=
9/10/2004</FONT></DIV></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BODY></HTM=
L>
------=_NextPart_000_02C1_01C49A4F.4E972A40--
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Jose Maria Lopez 2004-09-15, 9:56 am |
| El lun, 13 de 09 de 2004 a las 19:00, M Shirk escribi=C3=B3:
> Swatch creates files for the user who is running swatch. So if you star=
t=20
> swatch as root, it checks /root/.swatchrc for your configuration and cr=
eates=20
> the .script files.
>=20
> Someone else could verify this but I think it compiles the PERL script =
with=20
> your configuration options in the .swatchrc file.
>=20
> The Global symbol error is a PERL error, check your .swatchrc file and =
look=20
> for @page55, and check the actual Swatch script for this string. It may=
be a=20
> here document or some formatting that is messed up and being interprete=
d as=20
> code.
>=20
> Shirkdog
> http://www.shirkdog.us
>=20
He can also check the script that is created by swatch and
that it's giving the error. Swatch creates a script file
for each run, and that file contains the actual code that
swatch is running. It can help to find the error in the
real swatchrc file.
--=20
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPA=C3=91A
The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"
-------------------------------------------------------
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
|
| This is a multi-part message in MIME format.
------=_NextPart_000_004A_01C49DBA.39DE62D0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Hi Prabu,
I cannot find this file. Locate does not find any files named
swatch_script.*
Snort and Swatch are installed on the "tunes.page55.com" server, and the
mailserver I want alerts to be sent to is another server called "page55.com"
Do I need a mail client running on Tunes? Sendmail is there by default. I'm
not sure how it works, but I'm guessing that Snort would use the default
email client to send an email...
Thankyou for your reply, I wish I could get you the script info... I will
continue hunting .....
Andy
-----Original Message-----
From: prabu [mailto:prabu333@hotpop.com]
Sent: Tuesday, September 14, 2004 1:08 AM
To: Andy; snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] E-mail alerting
Hi Andy,
I was busy with my work for past three days,I didn't even check
snort list.Just now,I checked my mails,saw ur request.Well,I could not get
into a conclusion,what might be the error.Send the line in ur
script(ie,/root/.swatch_script.3238 ),where the error points out.I think,the
mail-id was the problem
for the error.
First,R u running snort on "page555" server or "tunes" server.What is the
hostname of the machine,where u have installed Snort and Swatch.
See,u can send alerts to the useraccounts on the machine,where u have
installed all thoses stuffs.So change the email-id in the configuration
file.
This would help U,I hope.
NOTE:
/root/.swatch_script.3238 ----.this is the script that is generated
automatically,while running swatch.
Cheers,
Prabu.S
----- Original Message -----
From: Andy
To: prabu ; snort-users@lists.sourceforge.net
Sent: Monday, September 13, 2004 5:34 AM
Subject: RE: [Snort-users] E-mail alerting
Hi Prabu,
Excellent post, it prompted me to check out swatch. I had to install the
CPAN mods and the only thing different was that I had to install
Time-HiRes-1.63 instead of
Time-HiRes-1.59
They all installed ok.
I'm trying to get swatch to read the config file. I followed the
directions, but I'm getting an error:
[root@tunes etc]# swatch --config-file=/etc/swatchrc.txt
Global symbol "@page55" requires explicit package name at
/root/.swatch_script.3238 line 125.
Execution of /root/.swatch_script.3238 aborted due to compilation
errors.
I put the config file in /etc and copied it exactly from below, except
of course I inserted my own email address.
Do you know what this error means?
What is the meaning of the line: /root/.swatch_script.3238 line 125.
(specifically the /root/ part.)
Thanks,
Drew
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of prabu
Sent: Saturday, September 04, 2004 12:30 AM
To: snort-users@lists.sourceforge.net; Carlos M Ospina
Subject: Re: [Snort-users] E-mail alerting
Hello Carlos,
You can use Swatch to get emails alerts from Snort.
Installing Swatch,is just a child's play,very easier.I have given
below the necessary steps to configure Swatch.
Hope,this will be useful.If you have,any queries,you can write to
me.............................
Prabu.S
########################################
####################################
########################################
####
CONFIGURATION STEPS TO SEND SNORT ALERTS AS E-MAIL:
To receives Snort alerts as E-mail, one can follow the following
steps:
Swatch is the widely used Open Source tool to enable
E mail alerts in Snort. Swatch is a utility that monitors system log files,
filters out
unwanted data and takes specified actions (i.e., sending email,
executing a script, etc.) based upon what it finds in the log files. So I
have used
Swatch to configure snort to send the alerts as E-mail.
NOTE:
Here, it is considered that snort have been already installed on the
host, in which this is to be tested.
[a] Swatch installation:
Download the swatch package, from
http://sourceforge.net/project/show...?group_id=68627
To install, simply issue the following commands:
perl Makefile.PL
make
make test
make install
make realclean
Swatch installs just like a CPAN module. If you are not familiar with
this process then you may want to read about it by issuing the command:
man ExtUtils::MakeMaker
Use the perldoc command if your man cannot find the document.
If you see messages like these:
Warning: prerequisite Date::Calc 0 not found at (eval 1) line 219.
Warning: prerequisite Date::Parse 0 not found at (eval 1) line 219.
Warning: prerequisite File::Tail 0 not found at (eval 1) line 219.
Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) line 219.
Then you need to install the CPAN module(s) that it doesn't find,
before you can use swatch.
You can find these modules at http://search.cpan.org/.
One must download following PERL modules from the site search.cpan.org
1.Bit-Vector-6.3
2.Date-Calc-5.3
3.DateManip-5.42a
4.File-Tail-0.98
5.Time-HiRes-1.59
6.TimeDate-1.16
To install these PERL modules,one can follow the same steps as said
per Swatch,
They are,
perl Makefile.PL
make
make test
make install
make realclean
The Swatch binary will be installed at the /opt/perl/bin/ directory
Then create the swatch configuratiobn file.
cat /etc/swatchrc.txt
========================================
==================
# Swatch configuration file
#
#
# swatch -c /etc/swatchrc -t /var/log/snort/alert
#
### Snort Alerts
## Watch for entries containing the word 'Priority' in the
snort alert file.
## Display it in green on the screen
## Mail alert to alerts@yourdomain.com with subject of the
email
## being "----Snort IDS Alert----"
## Log in file /var/log/IDS-scans
watchfor /Priority/
echo green_h
mail addresses=youruseraccount@yourdomain.comt ,subject=---
Snort IDS Alert ---
exec echo $0 >> /var/log/IDS-scans
========================================
====================
THE FINAL STEPS:
[a] Start Snort in NIDS mode:
#./snort -c /snort/iexpress/snort/etc/snort.conf -l /var/log/snort.
[b] Start swatch:
cd /opt/perl/bin
#./swatch --config-file=/etc/swatchrc.txt
[c] Using Outlook Express:
configure the User's POP3 account and you can recieve the emails
send by Swatch for each alerts based on the patter
matching the "watchfor"
########################################
####################################
##############################
Cheers,
Prabu.S
----- Original Message -----
From: Carlos M Ospina
To: snort-users@lists.sourceforge.net
Sent: Friday, September 03, 2004 7:08 PM
Subject: [Snort-users] E-mail alerting
Is there anyway to configure, with acid, automatic alerts by e-mail?
is ther eany manual about that?
Thanks in advance.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.751 / Virus Database: 502 - Release Date: 9/2/2004
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.760 / Virus Database: 509 - Release Date: 9/10/2004
------=_NextPart_000_004A_01C49DBA.39DE62D0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1458" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D014104300-19092004>Hi=20
Prabu,</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D014104300-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D014104300-19092004>I=20
cannot find this file. Locate does not find any files named=20
swatch_script.*</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D014104300-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><FONT><SPAN =
class=3D014104300-19092004>Snort and Swatch are installed on the=20
"tunes.page55.com" server</SPAN></FONT>,<SPAN =
class=3D014104300-19092004> =20
and the mailserver I want alerts to be sent to is another server called=20
"page55.com"</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><SPAN=20
class=3D014104300-19092004></SPAN></FONT></FONT></FONT> </DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><SPAN=20
class=3D014104300-19092004>Do I need a mail client running on =
Tunes? Sendmail=20
is there by default. I'm not sure how it works, but I'm guessing =
that Snort=20
would use the default email client to send an=20
email...</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><SPAN=20
class=3D014104300-19092004></SPAN></FONT></FONT></FONT> </DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><SPAN=20
class=3D014104300-19092004>Thankyou for your reply, I wish I=20
could get you the script info... I will continue hunting=20
......</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><SPAN=20
class=3D014104300-19092004></SPAN></FONT></FONT></FONT> </DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><SPAN=20
class=3D014104300-19092004>Andy</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><SPAN=20
class=3D014104300-19092004> </SPAN></FONT></FONT></FONT><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B> prabu=20
[mailto:prabu333@hotpop.com]<BR><B>Sent:</B> Tuesday, September 14, 2004 =
1:08=20
AM<BR><B>To:</B> Andy; =
snort-users@lists.sourceforge.net<BR><B>Subject:</B> Re:=20
[Snort-users] E-mail alerting<BR><BR></DIV></FONT>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV>
<DIV>Hi Andy,</DIV>
<DIV> I was busy with my work for past =
three=20
days,I didn't even check snort list.Just now,I checked my mails,saw ur =
request.Well,I could not get into a conclusion,what might be the =
error.Send=20
the line in ur script(ie,<FONT face=3DArial color=3D#0000ff=20
size=3D2>/root/.swatch_script.3238 <FONT face=3D"Times New Roman" =
color=3D#000000=20
size=3D3> )</FONT></FONT>,where the error points out.I think,the =
mail-id was the=20
problem </DIV>
<DIV>for the error.</DIV>
<DIV> </DIV>
<DIV>First,R u running snort on "page555" server or "tunes" =
server.What is the=20
hostname of the machine,where u have installed Snort and Swatch.</DIV>
<DIV>See,u can send alerts to the useraccounts on the machine,where u =
have=20
installed all thoses stuffs.So change the email-id in the =
configuration=20
file.</DIV>
<DIV>This would help U,I hope.<BR></DIV>
<DIV>NOTE:</DIV>
<DIV><FONT face=3DArial color=3D#0000ff =
size=3D2>/root/.swatch_script.3238 =20
----.this is the script that is generated automatically,while running=20
swatch.</FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Cheers,</DIV>
<DIV>Prabu.S</DIV></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dandy@page55.com href=3D"mailto:andy@page55.com">Andy</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dprabu333@hotpop.com=20
href=3D"mailto:prabu333@hotpop.com">prabu</A> ; <A=20
title=3Dsnort-users@lists.sourceforge.net=20
=
href=3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourc=
eforge.net</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Monday, September 13, =
2004 5:34=20
AM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> RE: [Snort-users] =
E-mail=20
alerting</DIV>
<DIV><BR></DIV>
<DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff size=3D2>Hi=20
Prabu,</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Excellent post, it prompted me to check out sw<SPAN=20
class=3D426510200-13092004>at</SPAN>ch. I had to install the CPAN =
mods and the=20
only thing different was that I had to install Time-HiRes-1.63 =
instead of=20
</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Time-HiRes-1.59</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>They all installed ok.</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>I'm trying to get swatch to read the config file. I =
followed the=20
directions, but I'm getting an error:</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>[root@tunes etc]# swatch =
--config-file=3D/etc/swatchrc.txt<BR>Global=20
symbol "@page55" requires explicit package name at =
/root/.swatch_script.3238=20
line 125.<BR>Execution of /root/.swatch_script.3238 aborted due to=20
compilation errors.</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff size=3D2>I=20
put the config file in /etc and copied it exactly from below, except =
of=20
course I inserted my own email address.</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff size=3D2>Do=20
you know what this error means?</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>What is the meaning of the line: /root/.swatch_script.3238 =
line=20
125. (specifically the /root/ part.)<BR></FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Thanks,</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Drew</FONT></SPAN></DIV></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B>=20
snort-users-admin@lists.sourceforge.net=20
[mailto:snort-users-admin@lists.sourceforge.net]<B>On Behalf Of=20
</B>prabu<BR><B>Sent:</B> Saturday, September 04, 2004 12:30=20
AM<BR><B>To:</B> snort-users@lists.sourceforge.net; Carlos M=20
Ospina<BR><B>Subject:</B> Re: [Snort-users] E-mail=20
alerting<BR><BR></FONT></DIV>
<DIV>Hello Carlos,</DIV>
=
<DIV> =20
You can use <STRONG>Swatch</STRONG> to get emails alerts from =
Snort.</DIV>
<DIV> </DIV>
<DIV> Installing Swatch,is just a child's play,very =
easier.I=20
have given below the necessary steps to configure Swatch.</DIV>
<DIV>Hope,this will be useful.If you have,any queries,you can =
write to=20
me.............................</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Prabu.S</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
=
<DIV> ########################################
############################=
########################################
############</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV align=3Dcenter><STRONG><U>CONFIGURATION STEPS TO SEND SNORT =
ALERTS AS=20
E-MAIL:</U></STRONG></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><STRONG>To receives Snort alerts as E-mail, one can follow =
the=20
following steps:</STRONG></DIV>
<DIV> </DIV>
=
<DIV> &n=
bsp; =20
Swatch is the widely used Open Source tool to enable E mail alerts =
in=20
Snort. Swatch is a utility that monitors system log files, filters =
out=20
<BR>unwanted data and takes specified actions (i.e., sending =
email,=20
executing a script, etc.) based upon what it finds in the log =
files. So I=20
have used <BR>Swatch to configure snort to send the alerts as=20
E-mail.</DIV>
<DIV> </DIV>
<DIV><STRONG>NOTE:<BR></STRONG> Here, it is considered that =
snort=20
have been already installed on the host, in which this is to be=20
tested.</DIV>
<DIV> </DIV>
<DIV>[a] Swatch installation:</DIV>
<DIV> </DIV>
<DIV>Download the swatch package, from <A=20
=
href=3D"http://sourceforge.net/project/showfiles.php?group_id=3D68627">ht=
tp://sourceforge.net/project/showfiles.php?group_id=3D68627</A><BR>To=20
install, simply issue the following commands: </DIV>
<DIV> </DIV>
=
<DIV> &n=
bsp; =20
perl=20
=
Makefile.PL<BR> &nbs=
p; =20
=
make<BR> =
; =20
make=20
=
test<BR> =
; =20
make=20
=
install<BR> &n=
bsp; =20
make realclean<BR> <BR>Swatch installs just like =
a CPAN=20
module. If you are not familiar with this process then you may =
want to=20
read about it by issuing the command: </DIV>
<DIV> </DIV>
<DIV>man ExtUtils::MakeMaker<BR> =
<BR>Use the=20
perldoc command if your man cannot find the document. </DIV>
<DIV> </DIV>
<DIV>If you see messages like these: </DIV>
<DIV> </DIV>
<DIV>Warning: prerequisite Date::Calc 0 not found at (eval 1) line =
219.<BR>Warning: prerequisite Date::Parse 0 not found at (eval 1) =
line=20
219.<BR>Warning: prerequisite File::Tail 0 not found at (eval 1) =
line=20
219.<BR>Warning: prerequisite Time::HiRes 1.12 not found at (eval =
1) line=20
219.<BR> </DIV>
<DIV> </DIV>
<DIV>Then you need to install the CPAN module(s) that it doesn't =
find,=20
before you can use swatch. <BR>You can find these modules at <A=20
href=3D"http://search.cpan.org/">http://search.cpan.org/</A>. =
</DIV>
<DIV> </DIV>
<DIV>One must download following PERL modules from the site=20
search.cpan.org</DIV>
<DIV> </DIV>
=
<DIV> =20
1.Bit-Vector-6.3 =20
=
<BR> =20
2.Date-Calc-5.3 =20
=
<BR> =20
3.DateManip-5.42a =20
=
<BR> =20
4.File-Tail-0.98 =20
=
<BR> =20
5.Time-HiRes-1.59 =20
=
<BR> =20
6.TimeDate-1.16</DIV>
<DIV> </DIV>
<DIV>To install these PERL modules,one can follow the same steps =
as said=20
per Swatch,<BR>They are,</DIV>
<DIV> </DIV>
=
<DIV> &n=
bsp;=20
perl=20
=
Makefile.PL<BR> &nbs=
p; =20
=
make<BR> =
; =20
make=20
=
test<BR> =
; =20
make=20
=
install<BR> &n=
bsp; =20
make realclean</DIV>
<DIV> </DIV>
<DIV>The Swatch binary will be installed at the /opt/perl/bin/=20
directory</DIV>
<DIV> </DIV>
<DIV>Then create the swatch configuratiobn file.</DIV>
<DIV> </DIV>
<DIV>cat /etc/swatchrc.txt</DIV>
<DIV> </DIV>
=
<DIV> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR>#=20
Swatch configuration file</DIV>
<DIV> </DIV>
<DIV> =20
#<BR> =20
#<BR> # swatch -c =
/etc/swatchrc -t=20
/var/log/snort/alert <BR> =20
#<BR> ### Snort=20
Alerts<BR> ## Watch for =
entries=20
containing the word 'Priority' in the snort alert=20
file.<BR> ## Display it =
in green=20
on the screen<BR> ## =
Mail alert=20
to <A =
href=3D"mailto:alerts@yourdomain.com">alerts@yourdomain.com</A> with=20
subject of the email <BR> =20
## being "----Snort IDS=20
Alert----"<BR> ## Log in =
file=20
/var/log/IDS-scans</DIV>
<DIV> </DIV>
<DIV><BR> watchfor=20
/Priority/<BR> echo=20
green_h<BR> mail <A=20
=
href=3D" mailto:addresses=3Dyouruseraccount@yourd
omain.comt">addresses=3Dy=
ouruseraccount@yourdomain.comt</A>=20
,subject=3D--- Snort IDS Alert =
---<BR> =20
exec echo $0 >> /var/log/IDS-scans</DIV>
<DIV> </DIV>
=
<DIV>& amp;nbsp;=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=20
</DIV>
<DIV> </DIV>
<DIV><STRONG>THE FINAL STEPS:<BR></STRONG> <BR>[a] Start =
Snort in=20
NIDS mode:<BR> <BR> #./snort -c=20
/snort/iexpress/snort/etc/snort.conf -l=20
=
/var/log/snort.<BR> =
=20
<BR>[b] Start swatch:</DIV>
<DIV> </DIV>
<DIV> cd /opt/perl/bin<BR> #./swatch=20
--config-file=3D/etc/swatchrc.txt </DIV>
<DIV> </DIV>
<DIV>[c] Using Outlook Express:<BR> <BR> =
configure=20
the User's POP3 account and you can recieve the emails send by =
Swatch for=20
each alerts based on the patter <BR> matching the =
"watchfor"=20
</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
=
<DIV> ########################################
############################=
######################################</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Cheers,</DIV>
<DIV>Prabu.S</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- =
</DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dcospina@etek.com.co =
href=3D"mailto:cospina@etek.com.co">Carlos M=20
Ospina</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
title=3Dsnort-users@lists.sourceforge.net=20
=
href=3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourc=
eforge.net</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Friday, September =
03, 2004=20
7:08 PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> [Snort-users] =
E-mail=20
alerting</DIV>
<DIV><BR></DIV>
<DIV><BR><FONT face=3Dsans-serif size=3D2>Is there anyway to =
configure, with=20
acid, automatic alerts by e-mail? is ther eany manual about =
that?</FONT>=20
<BR><BR><FONT face=3Dsans-serif size=3D2>Thanks in =
advance.</FONT></DIV>
<DIV> </DIV><FONT face=3Dsans-serif size=3D2>
<DIV><BR>---<BR>Outgoing mail is certified Virus =
Free.<BR>Checked by AVG=20
anti-virus system (<A=20
=
href=3D"http://www.grisoft.com">http://www.grisoft.com</A> ).<BR>Version: =
6.0.751 / Virus Database: 502 - Release Date: 9/2/2004</DIV>
<DIV> </DIV>
<DIV><BR>---<BR>Outgoing mail is certified Virus =
Free.<BR>Checked by AVG=20
anti-virus system (<A=20
=
href=3D"http://www.grisoft.com">http://www.grisoft.com</A> ).<BR>Version: =
6.0.760 / Virus Database: 509 - Release Date:=20
=
9/10/2004</FONT></DIV></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE=
></BODY></HTML>
------=_NextPart_000_004A_01C49DBA.39DE62D0--
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
|
| This is a multi-part message in MIME format.
------=_NextPart_000_0065_01C49DC7.2D1E7500
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Ok, I think I'm getting close.
In /etc/swatchrc.txt, I removed the ADDRESS part of the mail command, and
swatch now runs, AND the /root/.swatch_script.1234 file is created and I can
actually find it.
I get this:
*** swatch version 3.1.1 (pid:2009) started at Sat Sep 18 19:44:05 CDT 2004
To test, I did a port scan, and this popped up:
Invalid attribute name green_h at
/usr/lib/perl5/site_perl/5.6.1/Swatch/Actions.pm line 58
I commented the "echo green_h" line out, and I don't get the "Invalid
attribute name........" error anymore.
Still not getting email alerts however. Do I need the "echo green_h" ? I
would think not....
Next, I changed the logging path, to /var/log/snort to match snort:
[root@tunes andy]# snort -c /etc/snort/snort.conf -l /var/log/snort
Running in IDS mode
Log directory = /var/log/snort
Still not getting email alerts however.
This is my current swatchrc file:
[root@tunes etc]# more swatchrc.txt
# Swatch configuration file
#
#
# swatch -c /etc/swatchrc -t /var/log/snort/alert
#
### Snort Alerts
## Watch for entries containing the word 'Priority' in the snort
alert file.
## Display it in green on the screen
## Mail alert to alerts@yourdomain.com with subject of the email
## being "----Snort IDS Alert----"
## Log in file /var/log/IDS-scans
watchfor /Priority/
# echo green_h
mail andy@page55.com ,subject=--- Snort IDS Alert ---
exec echo $0 >> /var/log/snort
Any ideas, I've got to be sooooo close.....
Thanks,
Andy
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of Andy
: Saturday, September 18, 2004 8:01 PM
To: snort-users@lists.sourceforge.net
Subject: RE: [Snort-users] E-mail alerting
Hi Prabu,
I cannot find this file. Locate does not find any files named
swatch_script.*
Snort and Swatch are installed on the "tunes.page55.com" server, and the
mailserver I want alerts to be sent to is another server called "page55.com"
Do I need a mail client running on Tunes? Sendmail is there by default.
I'm not sure how it works, but I'm guessing that Snort would use the default
email client to send an email...
Thankyou for your reply, I wish I could get you the script info... I will
continue hunting .....
Andy
-----Original Message-----
From: prabu [mailto:prabu333@hotpop.com]
Sent: Tuesday, September 14, 2004 1:08 AM
To: Andy; snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] E-mail alerting
Hi Andy,
I was busy with my work for past three days,I didn't even check
snort list.Just now,I checked my mails,saw ur request.Well,I could not get
into a conclusion,what might be the error.Send the line in ur
script(ie,/root/.swatch_script.3238 ),where the error points out.I think,the
mail-id was the problem
for the error.
First,R u running snort on "page555" server or "tunes" server.What is
the hostname of the machine,where u have installed Snort and Swatch.
See,u can send alerts to the useraccounts on the machine,where u have
installed all thoses stuffs.So change the email-id in the configuration
file.
This would help U,I hope.
NOTE:
/root/.swatch_script.3238 ----.this is the script that is generated
automatically,while running swatch.
Cheers,
Prabu.S
----- Original Message -----
From: Andy
To: prabu ; snort-users@lists.sourceforge.net
Sent: Monday, September 13, 2004 5:34 AM
Subject: RE: [Snort-users] E-mail alerting
Hi Prabu,
Excellent post, it prompted me to check out swatch. I had to install
the CPAN mods and the only thing different was that I had to install
Time-HiRes-1.63 instead of
Time-HiRes-1.59
They all installed ok.
I'm trying to get swatch to read the config file. I followed the
directions, but I'm getting an error:
[root@tunes etc]# swatch --config-file=/etc/swatchrc.txt
Global symbol "@page55" requires explicit package name at
/root/.swatch_script.3238 line 125.
Execution of /root/.swatch_script.3238 aborted due to compilation
errors.
I put the config file in /etc and copied it exactly from below, except
of course I inserted my own email address.
Do you know what this error means?
What is the meaning of the line: /root/.swatch_script.3238 line 125.
(specifically the /root/ part.)
Thanks,
Drew
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of prabu
Sent: Saturday, September 04, 2004 12:30 AM
To: snort-users@lists.sourceforge.net; Carlos M Ospina
Subject: Re: [Snort-users] E-mail alerting
Hello Carlos,
You can use Swatch to get emails alerts from Snort.
Installing Swatch,is just a child's play,very easier.I have given
below the necessary steps to configure Swatch.
Hope,this will be useful.If you have,any queries,you can write to
me.............................
Prabu.S
########################################
####################################
########################################
####
CONFIGURATION STEPS TO SEND SNORT ALERTS AS E-MAIL:
To receives Snort alerts as E-mail, one can follow the following
steps:
Swatch is the widely used Open Source tool to
enable E mail alerts in Snort. Swatch is a utility that monitors system log
files, filters out
unwanted data and takes specified actions (i.e., sending email,
executing a script, etc.) based upon what it finds in the log files. So I
have used
Swatch to configure snort to send the alerts as E-mail.
NOTE:
Here, it is considered that snort have been already installed on
the host, in which this is to be tested.
[a] Swatch installation:
Download the swatch package, from
http://sourceforge.net/project/show...?group_id=68627
To install, simply issue the following commands:
perl Makefile.PL
make
make test
make install
make realclean
Swatch installs just like a CPAN module. If you are not familiar
with this process then you may want to read about it by issuing the command:
man ExtUtils::MakeMaker
Use the perldoc command if your man cannot find the document.
If you see messages like these:
Warning: prerequisite Date::Calc 0 not found at (eval 1) line 219.
Warning: prerequisite Date::Parse 0 not found at (eval 1) line 219.
Warning: prerequisite File::Tail 0 not found at (eval 1) line 219.
Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) line
219.
Then you need to install the CPAN module(s) that it doesn't find,
before you can use swatch.
You can find these modules at http://search.cpan.org/.
One must download following PERL modules from the site
search.cpan.org
1.Bit-Vector-6.3
2.Date-Calc-5.3
3.DateManip-5.42a
4.File-Tail-0.98
5.Time-HiRes-1.59
6.TimeDate-1.16
To install these PERL modules,one can follow the same steps as said
per Swatch,
They are,
perl Makefile.PL
make
make test
make install
make realclean
The Swatch binary will be installed at the /opt/perl/bin/ directory
Then create the swatch configuratiobn file.
cat /etc/swatchrc.txt
========================================
==================
# Swatch configuration file
#
#
# swatch -c /etc/swatchrc -t /var/log/snort/alert
#
### Snort Alerts
## Watch for entries containing the word 'Priority' in the
snort alert file.
## Display it in green on the screen
## Mail alert to alerts@yourdomain.com with subject of the
email
## being "----Snort IDS Alert----"
## Log in file /var/log/IDS-scans
watchfor /Priority/
echo green_h
mail addresses=youruseraccount@yourdomain.comt ,subject=---
Snort IDS Alert ---
exec echo $0 >> /var/log/IDS-scans
========================================
====================
THE FINAL STEPS:
[a] Start Snort in NIDS mode:
#./snort -c /snort/iexpress/snort/etc/snort.conf -l
/var/log/snort.
[b] Start swatch:
cd /opt/perl/bin
#./swatch --config-file=/etc/swatchrc.txt
[c] Using Outlook Express:
configure the User's POP3 account and you can recieve the emails
send by Swatch for each alerts based on the patter
matching the "watchfor"
########################################
####################################
##############################
Cheers,
Prabu.S
----- Original Message -----
From: Carlos M Ospina
To: snort-users@lists.sourceforge.net
Sent: Friday, September 03, 2004 7:08 PM
Subject: [Snort-users] E-mail alerting
Is there anyway to configure, with acid, automatic alerts by
e-mail? is ther eany manual about that?
Thanks in advance.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.751 / Virus Database: 502 - Release Date: 9/2/2004
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.760 / Virus Database: 509 - Release Date: 9/10/2004
------=_NextPart_000_0065_01C49DC7.2D1E7500
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1458" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D679180802-19092004>Ok, I=20
think I'm getting close.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D679180802-19092004>In=20
/etc/swatchrc.txt, I removed the <FONT =
color=3D#ff0000>ADDRESS</FONT> part=20
of the mail command, and swatch now runs, AND the =
/root/.swatch_script.1234 file=20
is created and I can actually find it.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D679180802-19092004>I get=20
this:</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D679180802-19092004>***=20
swatch version 3.1.1 (pid:2009) started at Sat Sep 18 19:44:05 CDT=20
2004</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D679180802-19092004>To=20
test, I did a port scan, and this popped up:</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#ff0000 size=3D2><SPAN=20
class=3D679180802-19092004>Invalid attribute name green_h at=20
/usr/lib/perl5/site_perl/5.6.1/Swatch/Actions.pm line =
58</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004> I commented the "echo green_h"=20
line out, and I don't get the "Invalid attribute =
name........" error=20
anymore. </SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D679180802-19092004>Still=20
not getting email alerts however. Do I need the "echo green_h" ? I =
would=20
think not....</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D679180802-19092004>Next,=20
I changed the logging path, to /<FONT color=3D#ff0000>var/log/snort =
</FONT><FONT=20
color=3D#0000ff>to match snort: </FONT></SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004>[root@tunes andy]# snort -c =
/etc/snort/snort.conf -l=20
/var/log/snort<BR>Running in IDS mode<BR><FONT color=3D#ff0000>Log =
directory =3D=20
/var/log/snort</FONT></SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#ff0000 size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D679180802-19092004><SPAN=20
class=3D679180802-19092004>Still not getting email alerts however.=20
</SPAN></SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D679180802-19092004>This=20
is my current swatchrc file:</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004>[root@tunes etc]# more swatchrc.txt <BR># =
Swatch=20
configuration file<BR> <BR> =20
#<BR> =20
#<BR> # swatch -c /etc/swatchrc -t=20
/var/log/snort/alert <BR> =20
#<BR> ### Snort=20
Alerts<BR> ## Watch for =
entries=20
containing the word 'Priority' in the snort alert=20
file.<BR> ## Display it in =
green on=20
the screen<BR> ## Mail alert =
to <A=20
href=3D"mailto:alerts@yourdomain.com">alerts@yourdomain.com</A> with =
subject of=20
the email <BR> ## being=20
"----Snort IDS Alert----"<BR> =
## Log=20
in file /var/log/IDS-scans<BR> </SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004> watchfor =
/Priority/<BR> <FONT color=3D#ff0000># =
</FONT>echo=20
green_h<BR> <FONT =
color=3D#ff0000>mail</FONT>=20
<A href=3D"mailto:andy@page55.com">andy@page55.com</A> ,subject=3D--- =
Snort IDS=20
Alert ---<BR> exec echo $0 =
>><FONT=20
color=3D#ff0000> /var/log/snort</FONT></SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#ff0000 size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D679180802-19092004>Any=20
ideas, I've got to be sooooo close.....</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004>Thanks,</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004>Andy</SPAN></FONT></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B>=20
snort-users-admin@lists.sourceforge.net=20
[mailto:snort-users-admin@lists.sourceforge.net]<B>On Behalf Of=20
</B>Andy<BR></FONT><FONT face=3DTahoma size=3D2><B>:</B> Saturday, =
September 18,=20
2004 8:01 PM<BR><B>To:</B>=20
snort-users@lists.sourceforge.net<BR><B>Subject:</B> RE: [Snort-users] =
E-mail=20
alerting<BR><BR></DIV></FONT>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D014104300-19092004>Hi=20
Prabu,</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D014104300-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D014104300-19092004>I=20
cannot find this file. Locate does not find any files named=20
swatch_script.*</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D014104300-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><FONT =
size=3D+0><SPAN=20
class=3D014104300-19092004>Snort and Swatch are installed on the=20
"tunes.page55.com" server</SPAN></FONT>,<SPAN =
class=3D014104300-19092004> =20
and the mailserver I want alerts to be sent to is another server =
called=20
"page55.com"</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><SPAN=20
class=3D014104300-19092004></SPAN></FONT></FONT></FONT> </DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><SPAN=20
class=3D014104300-19092004>Do I need a mail client running on=20
Tunes? Sendmail is there by default. I'm not sure how it works,=20
but I'm guessing that Snort would use the default email client to =
send an=20
email...</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><SPAN=20
class=3D014104300-19092004></SPAN></FONT></FONT></FONT> </DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><SPAN=20
class=3D014104300-19092004>Thankyou for your reply, I wish I=20
could get you the script info... I will continue =
hunting=20
.....</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><SPAN=20
class=3D014104300-19092004></SPAN></FONT></FONT></FONT> </DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><SPAN=20
class=3D014104300-19092004>Andy</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><SPAN=20
class=3D014104300-19092004> </SPAN></FONT></FONT></FONT><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B> prabu=20
[mailto:prabu333@hotpop.com]<BR><B>Sent:</B> Tuesday, September 14, =
2004 1:08=20
AM<BR><B>To:</B> Andy; =
snort-users@lists.sourceforge.net<BR><B>Subject:</B>=20
Re: [Snort-users] E-mail alerting<BR><BR></DIV></FONT>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV>
<DIV>Hi Andy,</DIV>
<DIV> I was busy with my work for past =
three=20
days,I didn't even check snort list.Just now,I checked my mails,saw =
ur=20
request.Well,I could not get into a conclusion,what might be the =
error.Send=20
the line in ur script(ie,<FONT face=3DArial color=3D#0000ff=20
size=3D2>/root/.swatch_script.3238 <FONT face=3D"Times New Roman" =
color=3D#000000=20
size=3D3> )</FONT></FONT>,where the error points out.I think,the =
mail-id was=20
the problem </DIV>
<DIV>for the error.</DIV>
<DIV> </DIV>
<DIV>First,R u running snort on "page555" server or "tunes" =
server.What is=20
the hostname of the machine,where u have installed Snort and =
Swatch.</DIV>
<DIV>See,u can send alerts to the useraccounts on the machine,where =
u have=20
installed all thoses stuffs.So change the email-id in the =
configuration=20
file.</DIV>
<DIV>This would help U,I hope.<BR></DIV>
<DIV>NOTE:</DIV>
<DIV><FONT face=3DArial color=3D#0000ff =
size=3D2>/root/.swatch_script.3238 =20
----.this is the script that is generated automatically,while =
running=20
swatch.</FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Cheers,</DIV>
<DIV>Prabu.S</DIV></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- =
</DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dandy@page55.com =
href=3D"mailto:andy@page55.com">Andy</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dprabu333@hotpop.com=20
href=3D"mailto:prabu333@hotpop.com">prabu</A> ; <A=20
title=3Dsnort-users@lists.sourceforge.net=20
=
href=3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourc=
eforge.net</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Monday, September 13, =
2004 5:34=20
AM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> RE: [Snort-users] =
E-mail=20
alerting</DIV>
<DIV><BR></DIV>
<DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Hi Prabu,</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Excellent post, it prompted me to check out sw<SPAN=20
class=3D426510200-13092004>at</SPAN>ch. I had to install the CPAN =
mods and=20
the only thing different was that I had to install Time-HiRes-1.63 =
instead=20
of </FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Time-HiRes-1.59</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>They all installed ok.</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>I'm trying to get swatch to read the config file. I =
followed the=20
directions, but I'm getting an error:</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>[root@tunes etc]# swatch =
--config-file=3D/etc/swatchrc.txt<BR>Global=20
symbol "@page55" requires explicit package name at=20
/root/.swatch_script.3238 line 125.<BR>Execution of=20
/root/.swatch_script.3238 aborted due to compilation=20
errors.</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>I put the config file in /etc and copied it exactly from =
below,=20
except of course I inserted my own email =
address.</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Do you know what this error means?</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>What is the meaning of the line: =
/root/.swatch_script.3238 line=20
125. (specifically the /root/ part.)<BR></FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Thanks,</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Drew</FONT></SPAN></DIV></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B>=20
snort-users-admin@lists.sourceforge.net=20
[mailto:snort-users-admin@lists.sourceforge.net]<B>On Behalf Of=20
</B>prabu<BR><B>Sent:</B> Saturday, September 04, 2004 12:30=20
AM<BR><B>To:</B> snort-users@lists.sourceforge.net; Carlos M=20
Ospina<BR><B>Subject:</B> Re: [Snort-users] E-mail=20
alerting<BR><BR></FONT></DIV>
<DIV>Hello Carlos,</DIV>
=
<DIV> =20
You can use <STRONG>Swatch</STRONG> to get emails alerts from=20
Snort.</DIV>
<DIV> </DIV>
<DIV> Installing Swatch,is just a child's play,very =
easier.I=20
have given below the necessary steps to configure Swatch.</DIV>
<DIV>Hope,this will be useful.If you have,any queries,you can =
write to=20
me.............................</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Prabu.S</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
=
<DIV> ########################################
############################=
########################################
############</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV align=3Dcenter><STRONG><U>CONFIGURATION STEPS TO SEND SNORT =
ALERTS AS=20
E-MAIL:</U></STRONG></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><STRONG>To receives Snort alerts as E-mail, one can follow =
the=20
following steps:</STRONG></DIV>
<DIV> </DIV>
=
<DIV> &n=
bsp; =20
Swatch is the widely used Open Source tool to enable E mail =
alerts in=20
Snort. Swatch is a utility that monitors system log files, =
filters out=20
<BR>unwanted data and takes specified actions (i.e., sending =
email,=20
executing a script, etc.) based upon what it finds in the log =
files. So=20
I have used <BR>Swatch to configure snort to send the alerts as=20
E-mail.</DIV>
<DIV> </DIV>
<DIV><STRONG>NOTE:<BR></STRONG> Here, it is considered =
that snort=20
have been already installed on the host, in which this is to be=20
tested.</DIV>
<DIV> </DIV>
<DIV>[a] Swatch installation:</DIV>
<DIV> </DIV>
<DIV>Download the swatch package, from <A=20
=
href=3D"http://sourceforge.net/project/showfiles.php?group_id=3D68627">ht=
tp://sourceforge.net/project/showfiles.php?group_id=3D68627</A><BR>To=20
install, simply issue the following commands: </DIV>
<DIV> </DIV>
=
<DIV> &n=
bsp; =20
perl=20
=
Makefile.PL<BR> &nbs=
p; =20
=
make<BR> =
; =20
make=20
=
test<BR> =
; =20
make=20
=
install<BR> &n=
bsp; =20
make realclean<BR> <BR>Swatch installs just =
like a=20
CPAN module. If you are not familiar with this process then you =
may want=20
to read about it by issuing the command: </DIV>
<DIV> </DIV>
<DIV>man ExtUtils::MakeMaker<BR> =
<BR>Use=20
the perldoc command if your man cannot find the document. </DIV>
<DIV> </DIV>
<DIV>If you see messages like these: </DIV>
<DIV> </DIV>
<DIV>Warning: prerequisite Date::Calc 0 not found at (eval 1) =
line=20
219.<BR>Warning: prerequisite Date::Parse 0 not found at (eval =
1) line=20
219.<BR>Warning: prerequisite File::Tail 0 not found at (eval 1) =
line=20
219.<BR>Warning: prerequisite Time::HiRes 1.12 not found at =
(eval 1)=20
line 219.<BR> </DIV>
<DIV> </DIV>
<DIV>Then you need to install the CPAN module(s) that it doesn't =
find,=20
before you can use swatch. <BR>You can find these modules at <A=20
href=3D"http://search.cpan.org/">http://search.cpan.org/</A>. =
</DIV>
<DIV> </DIV>
<DIV>One must download following PERL modules from the site=20
search.cpan.org</DIV>
<DIV> </DIV>
=
<DIV> =20
1.Bit-Vector-6.3 =20
=
<BR> =20
2.Date-Calc-5.3 =20
=
<BR> =20
3.DateManip-5.42a =20
=
<BR> =20
4.File-Tail-0.98 =20
=
<BR> =20
5.Time-HiRes-1.59 =20
=
<BR> =20
6.TimeDate-1.16</DIV>
<DIV> </DIV>
<DIV>To install these PERL modules,one can follow the same steps =
as said=20
per Swatch,<BR>They are,</DIV>
<DIV> </DIV>
=
<DIV> &n=
bsp;=20
perl=20
=
Makefile.PL<BR> &nbs=
p; =20
=
make<BR> =
; =20
make=20
=
test<BR> =
; =20
make=20
=
install<BR> &n=
bsp; =20
make realclean</DIV>
<DIV> </DIV>
<DIV>The Swatch binary will be installed at the /opt/perl/bin/=20
directory</DIV>
<DIV> </DIV>
<DIV>Then create the swatch configuratiobn file.</DIV>
<DIV> </DIV>
<DIV>cat /etc/swatchrc.txt</DIV>
<DIV> </DIV>
=
<DIV> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR>#=20
Swatch configuration file</DIV>
<DIV> </DIV>
<DIV> =20
#<BR> =20
#<BR> # swatch -c =
/etc/swatchrc -t=20
/var/log/snort/alert <BR> =20
#<BR> ### Snort=20
Alerts<BR> ## Watch =
for=20
entries containing the word 'Priority' in the snort alert=20
file.<BR> ## Display =
it in=20
green on the screen<BR> =
## =20
Mail alert to <A=20
href=3D"mailto:alerts@yourdomain.com">alerts@yourdomain.com</A> =
with=20
subject of the email <BR> =20
## being "----Snort IDS=20
Alert----"<BR> ## Log =
in file=20
/var/log/IDS-scans</DIV>
<DIV> </DIV>
<DIV><BR> watchfor=20
/Priority/<BR> echo=20
green_h<BR> mail <A=20
=
href=3D" mailto:addresses=3Dyouruseraccount@yourd
omain.comt">addresses=3Dy=
ouruseraccount@yourdomain.comt</A>=20
,subject=3D--- Snort IDS Alert =
---<BR> =20
exec echo $0 >> /var/log/IDS-scans</DIV>
<DIV> </DIV>
=
<DIV>& amp;nbsp;=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=20
</DIV>
<DIV> </DIV>
<DIV><STRONG>THE FINAL STEPS:<BR></STRONG> <BR>[a] Start =
Snort in=20
NIDS mode:<BR> <BR> #./snort -c=20
/snort/iexpress/snort/etc/snort.conf -l=20
=
/var/log/snort.<BR> =
=20
<BR>[b] Start swatch:</DIV>
<DIV> </DIV>
<DIV> cd /opt/perl/bin<BR> #./swatch=20
--config-file=3D/etc/swatchrc.txt </DIV>
<DIV> </DIV>
<DIV>[c] Using Outlook Express:<BR> <BR> =
configure the User's POP3 account and you can recieve the emails =
send by=20
Swatch for each alerts based on the patter <BR> =
matching the=20
"watchfor" </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
=
<DIV> ########################################
############################=
######################################</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Cheers,</DIV>
<DIV>Prabu.S</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: =
5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- =
</DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dcospina@etek.com.co =
href=3D"mailto:cospina@etek.com.co">Carlos=20
M Ospina</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
title=3Dsnort-users@lists.sourceforge.net=20
=
href=3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourc=
eforge.net</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Friday, September =
03, 2004=20
7:08 PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> [Snort-users] =
E-mail=20
alerting</DIV>
<DIV><BR></DIV>
<DIV><BR><FONT face=3Dsans-serif size=3D2>Is there anyway to =
configure,=20
with acid, automatic alerts by e-mail? is ther eany manual =
about=20
that?</FONT> <BR><BR><FONT face=3Dsans-serif size=3D2>Thanks =
in=20
advance.</FONT></DIV>
<DIV> </DIV><FONT face=3Dsans-serif size=3D2>
<DIV><BR>---<BR>Outgoing mail is certified Virus =
Free.<BR>Checked by=20
AVG anti-virus system (<A=20
=
href=3D"http://www.grisoft.com">http://www.grisoft.com</A> ).<BR>Version: =
6.0.751 / Virus Database: 502 - Release Date: 9/2/2004</DIV>
<DIV> </DIV>
<DIV><BR>---<BR>Outgoing mail is certified Virus =
Free.<BR>Checked by=20
AVG anti-virus system (<A=20
=
href=3D"http://www.grisoft.com">http://www.grisoft.com</A> ).<BR>Version: =
6.0.760 / Virus Database: 509 - Release Date:=20
=
9/10/2004</FONT></DIV></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE=
></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0065_01C49DC7.2D1E7500--
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
|
| This is a multi-part message in MIME format.
------=_NextPart_000_0075_01C49DCA.D5FE3D60
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
JUST SOME ADDITIONAL INFORMATION:
you wrote:
> I was busy with my work for past three days,I didn't even check snort
list.Just now,I checked my mails,saw ur request.Well,I could not get into a
conclusion,what might be > the error.Send the line in ur
script(ie,/root/.swatch_script.3238 ),where the error points out.I think,the
mail-id was the problem
> for the error.
this is line 125 that was giving me the error before I removed the ADDRESS
portion of the mail command:
----------------------------------------------------------------------------
----------------------------------------------
$swatch_last_flush = $swatch_time_now;
}
if (/Priority/) {
&Swatch::Actions::send_email('ADDRESSES' => "andy\@page55.com",
'MESSAGE' => "$_", 'SUBJECT' => "--- Snort IDS Alert ---", );
&Swatch::Actions::exec_command('MESSAGE' => "$_", 'COMMAND' => "echo
$0 >> /var/log/snort", );
next;
----------------------------------------------------------------------------
-----------------------------------
AND FYI, I DID verify that snort is actively logging .....
thanks,
Andy
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of Andy
Sent: Saturday, September 18, 2004 9:34 PM
To: snort-users@lists.sourceforge.net
Subject: RE: [Snort-users] E-mail alerting
Ok, I think I'm getting close.
In /etc/swatchrc.txt, I removed the ADDRESS part of the mail command, and
swatch now runs, AND the /root/.swatch_script.1234 file is created and I can
actually find it.
I get this:
*** swatch version 3.1.1 (pid:2009) started at Sat Sep 18 19:44:05 CDT
2004
To test, I did a port scan, and this popped up:
Invalid attribute name green_h at
/usr/lib/perl5/site_perl/5.6.1/Swatch/Actions.pm line 58
I commented the "echo green_h" line out, and I don't get the "Invalid
attribute name........" error anymore.
Still not getting email alerts however. Do I need the "echo green_h" ? I
would think not....
Next, I changed the logging path, to /var/log/snort to match snort:
[root@tunes andy]# snort -c /etc/snort/snort.conf -l /var/log/snort
Running in IDS mode
Log directory = /var/log/snort
Still not getting email alerts however.
This is my current swatchrc file:
[root@tunes etc]# more swatchrc.txt
# Swatch configuration file
#
#
# swatch -c /etc/swatchrc -t /var/log/snort/alert
#
### Snort Alerts
## Watch for entries containing the word 'Priority' in the snort
alert file.
## Display it in green on the screen
## Mail alert to alerts@yourdomain.com with subject of the email
## being "----Snort IDS Alert----"
## Log in file /var/log/IDS-scans
watchfor /Priority/
# echo green_h
mail andy@page55.com ,subject=--- Snort IDS Alert ---
exec echo $0 >> /var/log/snort
Any ideas, I've got to be sooooo close.....
Thanks,
Andy
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of Andy
: Saturday, September 18, 2004 8:01 PM
To: snort-users@lists.sourceforge.net
Subject: RE: [Snort-users] E-mail alerting
Hi Prabu,
I cannot find this file. Locate does not find any files named
swatch_script.*
Snort and Swatch are installed on the "tunes.page55.com" server, and
the mailserver I want alerts to be sent to is another server called
"page55.com"
Do I need a mail client running on Tunes? Sendmail is there by default.
I'm not sure how it works, but I'm guessing that Snort would use the default
email client to send an email...
Thankyou for your reply, I wish I could get you the script info... I
will continue hunting .....
Andy
-----Original Message-----
From: prabu [mailto:prabu333@hotpop.com]
Sent: Tuesday, September 14, 2004 1:08 AM
To: Andy; snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] E-mail alerting
Hi Andy,
I was busy with my work for past three days,I didn't even check
snort list.Just now,I checked my mails,saw ur request.Well,I could not get
into a conclusion,what might be the error.Send the line in ur
script(ie,/root/.swatch_script.3238 ),where the error points out.I think,the
mail-id was the problem
for the error.
First,R u running snort on "page555" server or "tunes" server.What is
the hostname of the machine,where u have installed Snort and Swatch.
See,u can send alerts to the useraccounts on the machine,where u have
installed all thoses stuffs.So change the email-id in the configuration
file.
This would help U,I hope.
NOTE:
/root/.swatch_script.3238 ----.this is the script that is generated
automatically,while running swatch.
Cheers,
Prabu.S
----- Original Message -----
From: Andy
To: prabu ; snort-users@lists.sourceforge.net
Sent: Monday, September 13, 2004 5:34 AM
Subject: RE: [Snort-users] E-mail alerting
Hi Prabu,
Excellent post, it prompted me to check out swatch. I had to install
the CPAN mods and the only thing different was that I had to install
Time-HiRes-1.63 instead of
Time-HiRes-1.59
They all installed ok.
I'm trying to get swatch to read the config file. I followed the
directions, but I'm getting an error:
[root@tunes etc]# swatch --config-file=/etc/swatchrc.txt
Global symbol "@page55" requires explicit package name at
/root/.swatch_script.3238 line 125.
Execution of /root/.swatch_script.3238 aborted due to compilation
errors.
I put the config file in /etc and copied it exactly from below,
except of course I inserted my own email address.
Do you know what this error means?
What is the meaning of the line: /root/.swatch_script.3238 line 125.
(specifically the /root/ part.)
Thanks,
Drew
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of prabu
Sent: Saturday, September 04, 2004 12:30 AM
To: snort-users@lists.sourceforge.net; Carlos M Ospina
Subject: Re: [Snort-users] E-mail alerting
Hello Carlos,
You can use Swatch to get emails alerts from Snort.
Installing Swatch,is just a child's play,very easier.I have given
below the necessary steps to configure Swatch.
Hope,this will be useful.If you have,any queries,you can write to
me.............................
Prabu.S
########################################
####################################
########################################
####
CONFIGURATION STEPS TO SEND SNORT ALERTS AS E-MAIL:
To receives Snort alerts as E-mail, one can follow the following
steps:
Swatch is the widely used Open Source tool to
enable E mail alerts in Snort. Swatch is a utility that monitors system log
files, filters out
unwanted data and takes specified actions (i.e., sending email,
executing a script, etc.) based upon what it finds in the log files. So I
have used
Swatch to configure snort to send the alerts as E-mail.
NOTE:
Here, it is considered that snort have been already installed on
the host, in which this is to be tested.
[a] Swatch installation:
Download the swatch package, from
http://sourceforge.net/project/show...?group_id=68627
To install, simply issue the following commands:
perl Makefile.PL
make
make test
make install
make realclean
Swatch installs just like a CPAN module. If you are not familiar
with this process then you may want to read about it by issuing the command:
man ExtUtils::MakeMaker
Use the perldoc command if your man cannot find the document.
If you see messages like these:
Warning: prerequisite Date::Calc 0 not found at (eval 1) line 219.
Warning: prerequisite Date::Parse 0 not found at (eval 1) line
219.
Warning: prerequisite File::Tail 0 not found at (eval 1) line 219.
Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) line
219.
Then you need to install the CPAN module(s) that it doesn't find,
before you can use swatch.
You can find these modules at http://search.cpan.org/.
One must download following PERL modules from the site
search.cpan.org
1.Bit-Vector-6.3
2.Date-Calc-5.3
3.DateManip-5.42a
4.File-Tail-0.98
5.Time-HiRes-1.59
6.TimeDate-1.16
To install these PERL modules,one can follow the same steps as
said per Swatch,
They are,
perl Makefile.PL
make
make test
make install
make realclean
The Swatch binary will be installed at the /opt/perl/bin/
directory
Then create the swatch configuratiobn file.
cat /etc/swatchrc.txt
========================================
==================
# Swatch configuration file
#
#
# swatch -c /etc/swatchrc -t /var/log/snort/alert
#
### Snort Alerts
## Watch for entries containing the word 'Priority' in
the snort alert file.
## Display it in green on the screen
## Mail alert to alerts@yourdomain.com with subject of the
email
## being "----Snort IDS Alert----"
## Log in file /var/log/IDS-scans
watchfor /Priority/
echo green_h
mail addresses=youruseraccount@yourdomain.comt ,subject=---
Snort IDS Alert ---
exec echo $0 >> /var/log/IDS-scans
========================================
====================
THE FINAL STEPS:
[a] Start Snort in NIDS mode:
#./snort -c /snort/iexpress/snort/etc/snort.conf -l
/var/log/snort.
[b] Start swatch:
cd /opt/perl/bin
#./swatch --config-file=/etc/swatchrc.txt
[c] Using Outlook Express:
configure the User's POP3 account and you can recieve the
emails send by Swatch for each alerts based on the patter
matching the "watchfor"
########################################
####################################
##############################
Cheers,
Prabu.S
----- Original Message -----
From: Carlos M Ospina
To: snort-users@lists.sourceforge.net
Sent: Friday, September 03, 2004 7:08 PM
Subject: [Snort-users] E-mail alerting
Is there anyway to configure, with acid, automatic alerts by
e-mail? is ther eany manual about that?
Thanks in advance.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.751 / Virus Database: 502 - Release Date: 9/2/2004
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.760 / Virus Database: 509 - Release Date: 9/10/2004
------=_NextPart_000_0075_01C49DCA.D5FE3D60
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1458" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><SPAN class=3D591275202-19092004>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D591275202-19092004><FONT=20
color=3D#0000ff>JUST SOME ADDITIONAL =
INFORMATION:</FONT></SPAN> </FONT></DIV>
<DIV><SPAN class=3D591275202-19092004><FONT face=3DArial color=3D#0000ff =
size=3D2>you=20
wrote:</FONT></SPAN></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D591275202-19092004>></SPAN> I was =
busy with my=20
work for past three days,I didn't even check snort list.Just now,I =
checked my=20
mails,saw ur request.Well,I could not get into a conclusion,what =
might<SPAN=20
class=3D591275202-19092004> </SPAN>b<SPAN=20
class=3D591275202-19092004>e > =
</SPAN>the=20
error.Send the line in ur script(ie,/root/.swatch_script.3238 =
),where the=20
error points out.I think,the mail-id was the problem </FONT></DIV>
<DIV><FONT face=3DArial><FONT size=3D2><SPAN =
class=3D591275202-19092004>>=20
</SPAN>for the error.</FONT></FONT></DIV></SPAN></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D591275202-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D591275202-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D591275202-19092004>this=20
is line 125 that was giving me the error before I removed the ADDRESS =
portion of=20
the mail command:</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D591275202-19092004>----------------------------------------------=
-------------------------------------------------------------------------=
---</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D591275202-19092004> $swatch_last_flush =3D=20
$swatch_time_now;<BR> }</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D591275202-19092004> if (/Priority/)=20
{<BR> =20
& amp;Swatch::Actions::send_email('ADDRESS
ES' =3D> "andy\@page55.com", =
'MESSAGE'=20
=3D> "$_", 'SUBJECT' =3D> "--- Snort IDS Alert ---",=20
);<BR> <FONT color=3D#ff0000> =20
& amp;Swatch::Actions::exec_command('MESSA
GE' =3D> "$_", 'COMMAND' =
=3D> "echo=20
$0 >> /var/log/snort", );</FONT><BR> =
next;</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D591275202-19092004>----------------------------------------------=
-----------------------------------------------------------------</SPAN><=
/FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D591275202-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D591275202-19092004>AND=20
FYI, I DID verify that snort is actively logging =
......</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D591275202-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D591275202-19092004>thanks,</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D591275202-19092004>Andy</SPAN></FONT></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B>=20
snort-users-admin@lists.sourceforge.net=20
[mailto:snort-users-admin@lists.sourceforge.net]<B>On Behalf Of=20
</B>Andy<BR><B>Sent:</B> Saturday, September 18, 2004 9:34 =
PM<BR><B>To:</B>=20
snort-users@lists.sourceforge.net<BR><B>Subject:</B> RE: [Snort-users] =
E-mail=20
alerting<BR><BR></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D679180802-19092004>Ok,=20
I think I'm getting close.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D679180802-19092004>In=20
/etc/swatchrc.txt, I removed the <FONT =
color=3D#ff0000>ADDRESS</FONT> part=20
of the mail command, and swatch now runs, AND the =
/root/.swatch_script.1234=20
file is created and I can actually find it.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D679180802-19092004>I=20
get this:</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D679180802-19092004>***=20
swatch version 3.1.1 (pid:2009) started at Sat Sep 18 19:44:05 CDT=20
2004</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D679180802-19092004>To=20
test, I did a port scan, and this popped up:</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#ff0000 size=3D2><SPAN=20
class=3D679180802-19092004>Invalid attribute name green_h at=20
/usr/lib/perl5/site_perl/5.6.1/Swatch/Actions.pm line =
58</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004> I commented the "echo green_h"=20
line out, and I don't get the "Invalid attribute =
name........" error=20
anymore. </SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004>Still not getting email alerts however. Do =
I need the=20
"echo green_h" ? I would think not....</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004>Next, I changed the logging path, to /<FONT =
color=3D#ff0000>var/log/snort </FONT><FONT color=3D#0000ff>to match =
snort:=20
</FONT></SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004>[root@tunes andy]# snort -c =
/etc/snort/snort.conf -l=20
/var/log/snort<BR>Running in IDS mode<BR><FONT color=3D#ff0000>Log =
directory =3D=20
/var/log/snort</FONT></SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#ff0000 size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004><SPAN class=3D679180802-19092004>Still not =
getting=20
email alerts however. </SPAN></SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D679180802-19092004>This=20
is my current swatchrc file:</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004>[root@tunes etc]# more swatchrc.txt <BR># =
Swatch=20
configuration file<BR> <BR> =20
#<BR> =20
#<BR> # swatch -c /etc/swatchrc -t =
/var/log/snort/alert <BR> =20
#<BR> ### Snort=20
Alerts<BR> ## Watch for =
entries=20
containing the word 'Priority' in the snort alert=20
file.<BR> ## Display it in =
green on=20
the screen<BR> ## Mail alert =
to <A=20
href=3D"mailto:alerts@yourdomain.com">alerts@yourdomain.com</A> with =
subject of=20
the email <BR> ## =
being=20
"----Snort IDS Alert----"<BR> =
## Log=20
in file /var/log/IDS-scans<BR> </SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004> =
watchfor=20
/Priority/<BR> <FONT color=3D#ff0000># =
</FONT>echo=20
green_h<BR> <FONT=20
color=3D#ff0000>mail</FONT> <A =
href=3D"mailto:andy@page55.com">andy@page55.com</A>=20
,subject=3D--- Snort IDS Alert =
---<BR> exec=20
echo $0 >><FONT color=3D#ff0000> =
/var/log/snort</FONT></SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#ff0000 size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D679180802-19092004>Any=20
ideas, I've got to be sooooo close.....</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004>Thanks,</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D679180802-19092004>Andy</SPAN></FONT></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B>=20
snort-users-admin@lists.sourceforge.net=20
[mailto:snort-users-admin@lists.sourceforge.net]<B>On Behalf Of=20
</B>Andy<BR></FONT><FONT face=3DTahoma size=3D2><B>:</B> Saturday, =
September 18,=20
2004 8:01 PM<BR><B>To:</B>=20
snort-users@lists.sourceforge.net<BR><B>Subject:</B> RE: =
[Snort-users]=20
E-mail alerting<BR><BR></DIV></FONT>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D014104300-19092004>Hi=20
Prabu,</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D014104300-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D014104300-19092004>I=20
cannot find this file. Locate does not find any files named=20
swatch_script.*</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D014104300-19092004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><FONT =
size=3D+0><SPAN=20
class=3D014104300-19092004>Snort and Swatch are installed on the=20
"tunes.page55.com" server</SPAN></FONT>,<SPAN=20
class=3D014104300-19092004> and the mailserver I want alerts =
to be sent=20
to is another server called =
"page55.com"</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><SPAN=20
class=3D014104300-19092004></SPAN></FONT></FONT></FONT> </DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><SPAN=20
class=3D014104300-19092004>Do I need a mail client running on=20
Tunes? Sendmail is there by default. I'm not sure how it works, =
but I'm guessing that Snort would use the default email client =
to send=20
an email...</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><SPAN=20
class=3D014104300-19092004></SPAN></FONT></FONT></FONT> </DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><SPAN=20
class=3D014104300-19092004>Thankyou for your reply, I wish I=20
could get you the script info... I will continue =
hunting=20
.....</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><SPAN=20
class=3D014104300-19092004></SPAN></FONT></FONT></FONT> </DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><SPAN=20
class=3D014104300-19092004>Andy</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial><FONT color=3D#0000ff><FONT size=3D2><SPAN=20
class=3D014104300-19092004> </SPAN></FONT></FONT></FONT><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B> prabu=20
[mailto:prabu333@hotpop.com]<BR><B>Sent:</B> Tuesday, September 14, =
2004=20
1:08 AM<BR><B>To:</B> Andy;=20
snort-users@lists.sourceforge.net<BR><B>Subject:</B> Re: =
[Snort-users]=20
E-mail alerting<BR><BR></DIV></FONT>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV>
<DIV>Hi Andy,</DIV>
<DIV> I was busy with my work for =
past three=20
days,I didn't even check snort list.Just now,I checked my =
mails,saw ur=20
request.Well,I could not get into a conclusion,what might be the=20
error.Send the line in ur script(ie,<FONT face=3DArial =
color=3D#0000ff=20
size=3D2>/root/.swatch_script.3238 <FONT face=3D"Times New Roman"=20
color=3D#000000 size=3D3> )</FONT></FONT>,where the error points =
out.I=20
think,the mail-id was the problem </DIV>
<DIV>for the error.</DIV>
<DIV> </DIV>
<DIV>First,R u running snort on "page555" server or "tunes" =
server.What is=20
the hostname of the machine,where u have installed Snort and =
Swatch.</DIV>
<DIV>See,u can send alerts to the useraccounts on the =
machine,where u have=20
installed all thoses stuffs.So change the email-id in the =
configuration=20
file.</DIV>
<DIV>This would help U,I hope.<BR></DIV>
<DIV>NOTE:</DIV>
<DIV><FONT face=3DArial color=3D#0000ff =
size=3D2>/root/.swatch_script.3238 =20
----.this is the script that is generated automatically,while =
running=20
swatch.</FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Cheers,</DIV>
<DIV>Prabu.S</DIV></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- =
</DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dandy@page55.com =
href=3D"mailto:andy@page55.com">Andy</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dprabu333@hotpop.com=20
href=3D"mailto:prabu333@hotpop.com">prabu</A> ; <A=20
title=3Dsnort-users@lists.sourceforge.net=20
=
href=3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourc=
eforge.net</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Monday, September =
13, 2004=20
5:34 AM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> RE: =
[Snort-users] E-mail=20
alerting</DIV>
<DIV><BR></DIV>
<DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Hi Prabu,</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Excellent post, it prompted me to check out sw<SPAN=20
class=3D426510200-13092004>at</SPAN>ch. I had to install the =
CPAN mods and=20
the only thing different was that I had to install =
Time-HiRes-1.63=20
instead of </FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Time-HiRes-1.59</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>They all installed ok.</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>I'm trying to get swatch to read the config file. I =
followed the=20
directions, but I'm getting an error:</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>[root@tunes etc]# swatch=20
--config-file=3D/etc/swatchrc.txt<BR>Global symbol "@page55" =
requires=20
explicit package name at /root/.swatch_script.3238 line=20
125.<BR>Execution of /root/.swatch_script.3238 aborted due to=20
compilation errors.</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>I put the config file in /etc and copied it exactly =
from below,=20
except of course I inserted my own email =
address.</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Do you know what this error means?</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>What is the meaning of the line: =
/root/.swatch_script.3238 line=20
125. (specifically the /root/ =
part.)<BR></FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Thanks,</FONT></SPAN></DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D251052004-12092004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Drew</FONT></SPAN></DIV></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B>=20
snort-users-admin@lists.sourceforge.net=20
[mailto:snort-users-admin@lists.sourceforge.net]<B>On Behalf =
Of=20
</B>prabu<BR><B>Sent:</B> Saturday, September 04, 2004 12:30=20
AM<BR><B>To:</B> snort-users@lists.sourceforge.net; Carlos M=20
Ospina<BR><B>Subject:</B> Re: [Snort-users] E-mail=20
alerting<BR><BR></FONT></DIV>
<DIV>Hello Carlos,</DIV>
=
<DIV> =20
You can use <STRONG>Swatch</STRONG> to get emails alerts from=20
Snort.</DIV>
<DIV> </DIV>
<DIV> Installing Swatch,is just a child's play,very =
easier.I=20
have given below the necessary steps to configure =
Swatch.</DIV>
<DIV>Hope,this will be useful.If you have,any queries,you can =
write to=20
me.............................</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Prabu.S</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
=
<DIV> ########################################
############################=
########################################
############</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV align=3Dcenter><STRONG><U>CONFIGURATION STEPS TO SEND =
SNORT ALERTS=20
AS E-MAIL:</U></STRONG></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><STRONG>To receives Snort alerts as E-mail, one can =
follow the=20
following steps:</STRONG></DIV>
<DIV> </DIV>
=
<DIV> &n=
bsp; =20
Swatch is the widely used Open Source tool to enable E mail =
alerts in=20
Snort. Swatch is a utility that monitors system log files, =
filters out=20
<BR>unwanted data and takes specified actions (i.e., sending =
email,=20
executing a script, etc.) based upon what it finds in the log =
files.=20
So I have used <BR>Swatch to configure snort to send the =
alerts as=20
E-mail.</DIV>
<DIV> </DIV>
<DIV><STRONG>NOTE:<BR></STRONG> Here, it is considered =
that=20
snort have been already installed on the host, in which this =
is to be=20
tested.</DIV>
<DIV> </DIV>
<DIV>[a] Swatch installation:</DIV>
<DIV> </DIV>
<DIV>Download the swatch package, from <A=20
=
href=3D"http://sourceforge.net/project/showfiles.php?group_id=3D68627">ht=
tp://sourceforge.net/project/showfiles.php?group_id=3D68627</A><BR>To=20
install, simply issue the following commands: </DIV>
<DIV> </DIV>
=
<DIV> &n=
bsp; =20
perl=20
=
Makefile.PL<BR> &nbs=
p; =20
=
make<BR> =
; =20
make=20
=
test<BR> =
; =20
make=20
=
install<BR> &n=
bsp; =20
make realclean<BR> <BR>Swatch installs just =
like a=20
CPAN module. If you are not familiar with this process then =
you may=20
want to read about it by issuing the command: </DIV>
<DIV> </DIV>
<DIV>man ExtUtils::MakeMaker<BR> =
<BR>Use=20
the perldoc command if your man cannot find the document. =
</DIV>
<DIV> </DIV>
<DIV>If you see messages like these: </DIV>
<DIV> </DIV>
<DIV>Warning: prerequisite Date::Calc 0 not found at (eval 1) =
line=20
219.<BR>Warning: prerequisite Date::Parse 0 not found at (eval =
1) line=20
219.<BR>Warning: prerequisite File::Tail 0 not found at (eval =
1) line=20
219.<BR>Warning: prerequisite Time::HiRes 1.12 not found at =
(eval 1)=20
line 219.<BR> </DIV>
<DIV> </DIV>
<DIV>Then you need to install the CPAN module(s) that it =
doesn't find,=20
before you can use swatch. <BR>You can find these modules at =
<A=20
href=3D"http://search.cpan.org/">http://search.cpan.org/</A>. =
</DIV>
<DIV> </DIV>
<DIV>One must download following PERL modules from the site=20
search.cpan.org</DIV>
<DIV> </DIV>
=
<DIV> =20
1.Bit-Vector-6.3 =20
=
<BR> =20
2.Date-Calc-5.3 =20
=
<BR> =20
3.DateManip-5.42a =20
=
<BR> =20
4.File-Tail-0.98 =20
=
<BR> =20
5.Time-HiRes-1.59 =20
=
<BR> =20
6.TimeDate-1.16</DIV>
<DIV> </DIV>
<DIV>To install these PERL modules,one can follow the same =
steps as=20
said per Swatch,<BR>They are,</DIV>
<DIV> </DIV>
=
<DIV> &n=
bsp;=20
perl=20
=
Makefile.PL<BR> &nbs=
p; =20
=
make<BR> =
; =20
make=20
=
test<BR> =
; =20
make=20
=
install<BR> &n=
bsp; =20
make realclean</DIV>
<DIV> </DIV>
<DIV>The Swatch binary will be installed at the /opt/perl/bin/ =
directory</DIV>
<DIV> </DIV>
<DIV>Then create the swatch configuratiobn file.</DIV>
<DIV> </DIV>
<DIV>cat /etc/swatchrc.txt</DIV>
<DIV> </DIV>
=
<DIV> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR>#=20
Swatch configuration file</DIV>
<DIV> </DIV>
<DIV> =20
#<BR> =20
#<BR> # swatch -c =
/etc/swatchrc -t=20
/var/log/snort/alert <BR> =20
#<BR> ### =
Snort=20
Alerts<BR> ## Watch =
for=20
entries containing the word 'Priority' in the snort =
alert=20
file.<BR> ## Display =
it in=20
green on the screen<BR> =
## =20
Mail alert to <A=20
=
href=3D"mailto:alerts@yourdomain.com">alerts@yourdomain.com</A> with=20
subject of the email <BR> =20
## being "----Snort IDS=20
Alert----"<BR> ## =
Log in=20
file /var/log/IDS-scans</DIV>
<DIV> </DIV>
<DIV><BR> watchfor=20
/Priority/<BR> echo=20
green_h<BR> mail <A=20
=
href=3D" mailto:addresses=3Dyouruseraccount@yourd
omain.comt">addresses=3Dy=
ouruseraccount@yourdomain.comt</A>=20
,subject=3D--- Snort IDS Alert=20
---<BR> exec echo $0 =
>>=20
/var/log/IDS-scans</DIV>
<DIV> </DIV>
=
<DIV>& amp;nbsp;=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=20
</DIV>
<DIV> </DIV>
<DIV><STRONG>THE FINAL STEPS:<BR></STRONG> <BR>[a] Start =
Snort in=20
NIDS mode:<BR> <BR> #./snort -c=20
/snort/iexpress/snort/etc/snort.conf -l=20
=
/var/log/snort.<BR> =
=20
<BR>[b] Start swatch:</DIV>
<DIV> </DIV>
<DIV> cd /opt/perl/bin<BR> #./swatch=20
--config-file=3D/etc/swatchrc.txt </DIV>
<DIV> </DIV>
<DIV>[c] Using Outlook Express:<BR> =
<BR> =20
configure the User's POP3 account and you can recieve the =
emails send=20
by Swatch for each alerts based on the patter <BR> =
matching the "watchfor" </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
=
<DIV> ########################################
############################=
######################################</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Cheers,</DIV>
<DIV>Prabu.S</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: =
5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- =
</DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dcospina@etek.com.co=20
href=3D"mailto:cospina@etek.com.co">Carlos M Ospina</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
title=3Dsnort-users@lists.sourceforge.net=20
=
href=3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourc=
eforge.net</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Friday, =
September 03,=20
2004 7:08 PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> =
[Snort-users] E-mail=20
alerting</DIV>
<DIV><BR></DIV>
<DIV><BR><FONT face=3Dsans-serif size=3D2>Is there anyway to =
configure,=20
with acid, automatic alerts by e-mail? is ther eany manual =
about=20
that?</FONT> <BR><BR><FONT face=3Dsans-serif size=3D2>Thanks =
in=20
advance.</FONT></DIV>
<DIV> </DIV><FONT face=3Dsans-serif size=3D2>
<DIV><BR>---<BR>Outgoing mail is certified Virus =
Free.<BR>Checked by=20
AVG anti-virus system (<A=20
=
href=3D"http://www.grisoft.com">http://www.grisoft.com</A> ).<BR>Version: =
6.0.751 / Virus Database: 502 - Release Date: 9/2/2004</DIV>
<DIV> </DIV>
<DIV><BR>---<BR>Outgoing mail is certified Virus =
Free.<BR>Checked by=20
AVG anti-virus system (<A=20
=
href=3D"http://www.grisoft.com">http://www.grisoft.com</A> ).<BR>Version: =
6.0.760 / Virus Database: 509 - Release Date:=20
=
9/10/2004</FONT></DIV></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE=
></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0075_01C49DCA.D5FE3D60--
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
|
|
| Jason 2004-09-22, 10:25 pm |
| I think the problem is that you need to escape the @ symbol, PERL is
trying to reference the array page55 which does not exist. You should
make @page55 look like \@page55.
Andy wrote:
> Hi Prabu,
>
> I cannot find this file. Locate does not find any files named
> swatch_script.*
>
> Snort and Swatch are installed on the "tunes.page55.com" server, and the
> mailserver I want alerts to be sent to is another server called "page55.com"
>
> Do I need a mail client running on Tunes? Sendmail is there by default. I'm
> not sure how it works, but I'm guessing that Snort would use the default
> email client to send an email...
>
> Thankyou for your reply, I wish I could get you the script info... I will
> continue hunting .....
>
> Andy
>
>
>
> -----Original Message-----
> From: prabu [mailto:prabu333@hotpop.com]
> Sent: Tuesday, September 14, 2004 1:08 AM
> To: Andy; snort-users@lists.sourceforge.net
> Subject: Re: [Snort-users] E-mail alerting
>
>
> Hi Andy,
> I was busy with my work for past three days,I didn't even check
> snort list.Just now,I checked my mails,saw ur request.Well,I could not get
> into a conclusion,what might be the error.Send the line in ur
> script(ie,/root/.swatch_script.3238 ),where the error points out.I think,the
> mail-id was the problem
> for the error.
>
> First,R u running snort on "page555" server or "tunes" server.What is the
> hostname of the machine,where u have installed Snort and Swatch.
> See,u can send alerts to the useraccounts on the machine,where u have
> installed all thoses stuffs.So change the email-id in the configuration
> file.
> This would help U,I hope.
>
> NOTE:
> /root/.swatch_script.3238 ----.this is the script that is generated
> automatically,while running swatch.
>
>
>
> Cheers,
> Prabu.S
> ----- Original Message -----
> From: Andy
> To: prabu ; snort-users@lists.sourceforge.net
> Sent: Monday, September 13, 2004 5:34 AM
> Subject: RE: [Snort-users] E-mail alerting
>
>
> Hi Prabu,
>
> Excellent post, it prompted me to check out swatch. I had to install the
> CPAN mods and the only thing different was that I had to install
> Time-HiRes-1.63 instead of
> Time-HiRes-1.59
>
> They all installed ok.
>
> I'm trying to get swatch to read the config file. I followed the
> directions, but I'm getting an error:
>
> [root@tunes etc]# swatch --config-file=/etc/swatchrc.txt
> Global symbol "@page55" requires explicit package name at
> /root/.swatch_script.3238 line 125.
> Execution of /root/.swatch_script.3238 aborted due to compilation
> errors.
>
> I put the config file in /etc and copied it exactly from below, except
> of course I inserted my own email address.
>
> Do you know what this error means?
>
> What is the meaning of the line: /root/.swatch_script.3238 line 125.
> (specifically the /root/ part.)
>
> Thanks,
>
> Drew
> -----Original Message-----
> From: snort-users-admin@lists.sourceforge.net
> [mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of prabu
> Sent: Saturday, September 04, 2004 12:30 AM
> To: snort-users@lists.sourceforge.net; Carlos M Ospina
> Subject: Re: [Snort-users] E-mail alerting
>
>
> Hello Carlos,
> You can use Swatch to get emails alerts from Snort.
>
> Installing Swatch,is just a child's play,very easier.I have given
> below the necessary steps to configure Swatch.
> Hope,this will be useful.If you have,any queries,you can write to
> me.............................
>
>
> Prabu.S
>
>
>
>
> ########################################
####################################
> ########################################
####
>
>
>
> CONFIGURATION STEPS TO SEND SNORT ALERTS AS E-MAIL:
>
>
>
> To receives Snort alerts as E-mail, one can follow the following
> steps:
>
> Swatch is the widely used Open Source tool to enable
> E mail alerts in Snort. Swatch is a utility that monitors system log files,
> filters out
> unwanted data and takes specified actions (i.e., sending email,
> executing a script, etc.) based upon what it finds in the log files. So I
> have used
> Swatch to configure snort to send the alerts as E-mail.
>
> NOTE:
> Here, it is considered that snort have been already installed on the
> host, in which this is to be tested.
>
> [a] Swatch installation:
>
> Download the swatch package, from
> http://sourceforge.net/project/show...?group_id=68627
> To install, simply issue the following commands:
>
> PERL Makefile.PL
> make
> make test
> make install
> make realclean
>
> Swatch installs just like a CPAN module. If you are not familiar with
> this process then you may want to read about it by issuing the command:
>
> man ExtUtils::MakeMaker
>
> Use the perldoc command if your man cannot find the document.
>
> If you see messages like these:
>
> Warning: prerequisite Date::Calc 0 not found at (eval 1) line 219.
> Warning: prerequisite Date::Parse 0 not found at (eval 1) line 219.
> Warning: prerequisite File::Tail 0 not found at (eval 1) line 219.
> Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) line 219.
>
>
> Then you need to install the CPAN module(s) that it doesn't find,
> before you can use swatch.
> You can find these modules at http://search.cpan.org/.
>
> One must download following PERL modules from the site search.cpan.org
>
> 1.Bit-Vector-6.3
> 2.Date-Calc-5.3
> 3.DateManip-5.42a
> 4.File-Tail-0.98
> 5.Time-HiRes-1.59
> 6.TimeDate-1.16
>
> To install these PERL modules,one can follow the same steps as said
> per Swatch,
> They are,
>
> PERL Makefile.PL
> make
> make test
> make install
> make realclean
>
> The Swatch binary will be installed at the /opt/perl/bin/ directory
>
> Then create the swatch configuratiobn file.
>
> cat /etc/swatchrc.txt
>
> ========================================
==================
> # Swatch configuration file
>
> #
> #
> # swatch -c /etc/swatchrc -t /var/log/snort/alert
> #
> ### Snort Alerts
> ## Watch for entries containing the word 'Priority' in the
> snort alert file.
> ## Display it in green on the screen
> ## Mail alert to alerts@yourdomain.com with subject of the
> email
> ## being "----Snort IDS Alert----"
> ## Log in file /var/log/IDS-scans
>
>
> watchfor /Priority/
> echo green_h
> mail addresses=youruseraccount@yourdomain.comt ,subject=---
> Snort IDS Alert ---
> exec echo $0 >> /var/log/IDS-scans
>
> ========================================
====================
>
> THE FINAL STEPS:
>
> [a] Start Snort in NIDS mode:
>
> #./snort -c /snort/iexpress/snort/etc/snort.conf -l /var/log/snort.
>
> [b] Start swatch:
>
> cd /opt/perl/bin
> #./swatch --config-file=/etc/swatchrc.txt
>
> [c] Using Outlook Express:
>
> configure the User's POP3 account and you can recieve the emails
> send by Swatch for each alerts based on the patter
> matching the "watchfor"
>
>
>
>
> ########################################
####################################
> ##############################
>
>
> Cheers,
> Prabu.S
>
>
>
>
>
> ----- Original Message -----
> From: Carlos M Ospina
> To: snort-users@lists.sourceforge.net
> Sent: Friday, September 03, 2004 7:08 PM
> Subject: [Snort-users] E-mail alerting
>
>
>
> Is there anyway to configure, with acid, automatic alerts by e-mail?
> is ther eany manual about that?
>
> Thanks in advance.
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.751 / Virus Database: 502 - Release Date: 9/2/2004
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.760 / Virus Database: 509 - Release Date: 9/10/2004
>
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
|
|
|
|
|
|
|