|
|
-----Original Message-----
From: Andy [mailto:andy@page55.com]
Sent: Sunday, September 19, 2004 10:21 PM
To: Jason; snort-users@list.sourceforge.net
Subject: RE: [Snort-users] E-mail alerting
Well, I've changed swatchrc.txt back to logging to /var/log/IDS-scans, but
not seeing a difference.
started snort: [root@tunes andy]# snort -c /etc/snort/snort.conf -l
/var/log/IDS-scans
snort is actively logging.
started swatch: [root@tunes andy]# swatch --config-file=/etc/swatchrc.txt
after emailing the first alert, even if I restart both snort and swatch,
still nothing.
I can only seem to get it to work 1 time if I reboot the box.
any other ideas?
Andy
-----Original Message-----
From: Jason [mailto:security@brvenik.com]
Sent: Sunday, September 19, 2004 9:57 PM
To: Andy
Subject: Re: [Snort-users] E-mail alerting
could this be related to the change you made to the logging path?
Andy wrote:
> Urr.. maybe not. Swatch seems to be working until it gets the first
alert.
>
> Upon getting the alert this message comes up:
>
> *** swatch version 3.1.1 (pid:901) started at Sun Sep 19 19:34:12 CDT 2004
>
> sh: /var/log/snort: Is a directory
>
> after this, swatch does not send anymore email alerts. Snort continues to
> log as normal.
>
> Anybody?
>
> Andy
> -----Original Message-----
> From: snort-users-admin@lists.sourceforge.net
> [mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of Andy
> Sent: Sunday, September 19, 2004 6:20 PM
> To: snort-users@lists.sourceforge.net
> Subject: RE: [Snort-users] E-mail alerting
>
>
> OK, the mail issue is fixed. I needed to add "tunes.page55.com" to my
> relay_from_host list in the mail servers main config file.
>
> AND Swatch works! Thanks to all who gave their input.
>
> This issue is offically closed!
>
> Andy
> -----Original Message-----
> From: snort-users-admin@lists.sourceforge.net
> [mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of Andy
> Sent: Saturday, September 18, 2004 10:36 PM
> To: snort-users@lists.sourceforge.net
> Subject: RE: [Snort-users] E-mail alerting
>
>
> I'm now thinking it may be a Mail problem, because I can't send a test
> message to the mailserver. I know this isn't the place for mail support,
> but just hoping someone would be able to give input either way by looking
at
> my mail test:
> ----------------------------------------------------------------------
--
> ---------
> [andy@tunes andy]$ mail -iInv -s "testing" andy@page55.com
> EOT
> Null message body; hope that's ok
> andy@page55.com... Connecting to mail.page55.com. via esmtp...
> 220 simon.page55.com ESMTP Exim 4.30 Sat, 18 Sep 2004 22:33:36 -0500
> 250-simon.page55.com Hello tunes.page55.com [192.168.1.1]
> 250-SIZE 52428800
> 250-PIPELINING
> 250 HELP
> 250 OK
> 550-Verification failed for <andy@tunes.page55.com>
> 550-Unrouteable address
> 550 Sender verify failed
> 250 Reset OK
> /home/andy/dead.letter... Saved message in /home/andy/dead.letter
> Closing connection to mail.page55.com.
> 221 simon.page55.com closing connection
> ----------------------------------------------------------------------
--
> -----------
>
> FYI, I've never tried to send emails from this box before...
>
> Thanks,
> Andy
> -----Original Message-----
> From: snort-users-admin@lists.sourceforge.net
> [mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of Andy
> Sent: Saturday, September 18, 2004 10:00 PM
> To: snort-users@lists.sourceforge.net
> Subject: RE: [Snort-users] E-mail alerting
>
>
> JUST SOME ADDITIONAL INFORMATION:
> you wrote:
check
> snort list.Just now,I checked my mails,saw ur request.Well,I could not get
> into a conclusion,what might be > the error.Send the line in ur
> script(ie,/root/.swatch_script.3238 ),where the error points out.I
think,the
> mail-id was the problem
>
>
> this is line 125 that was giving me the error before I removed the
> ADDRESS portion of the mail command:
> --------------------------------------------------------------------
--
> ----------------------------------------------------
> $swatch_last_flush = $swatch_time_now;
> }
>
> if (/Priority/) {
> &Swatch::Actions::send_email('ADDRESSES' =>
> "andy\@page55.com", 'MESSAGE' => "$_", 'SUBJECT' => "--- Snort IDS
> Alert ---", );
> &Swatch::Actions::exec_command('MESSAGE' => "$_", 'COMMAND'
=>
> "echo $0 >> /var/log/snort", );
> next;
> --------------------------------------------------------------------
--
> -----------------------------------------
>
> AND FYI, I DID verify that snort is actively logging .....
>
> thanks,
> Andy
> -----Original Message-----
> From: snort-users-admin@lists.sourceforge.net
> [mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of Andy
> Sent: Saturday, September 18, 2004 9:34 PM
> To: snort-users@lists.sourceforge.net
> Subject: RE: [Snort-users] E-mail alerting
>
>
> Ok, I think I'm getting close.
>
>
> In /etc/swatchrc.txt, I removed the ADDRESS part of the mail
> command, and swatch now runs, AND the /root/.swatch_script.1234 file is
> created and I can actually find it.
>
> I get this:
> *** swatch version 3.1.1 (pid:2009) started at Sat Sep 18 19:44:05
> CDT 2004
>
> To test, I did a port scan, and this popped up:
>
> Invalid attribute name green_h at
> /usr/lib/perl5/site_perl/5.6.1/Swatch/Actions.pm line 58
>
> I commented the "echo green_h" line out, and I don't get the
> "Invalid attribute name........" error anymore.
>
> Still not getting email alerts however. Do I need the "echo
green_h"
> ? I would think not....
>
> Next, I changed the logging path, to /var/log/snort to match
snort:
>
> [root@tunes andy]# snort -c /etc/snort/snort.conf -l
/var/log/snort
> Running in IDS mode
> Log directory = /var/log/snort
>
> Still not getting email alerts however.
>
> This is my current swatchrc file:
>
> [root@tunes etc]# more swatchrc.txt
> # Swatch configuration file
>
> #
> #
> # swatch -c /etc/swatchrc -t /var/log/snort/alert
> #
> ### Snort Alerts
> ## Watch for entries containing the word 'Priority' in
the
> snort alert file.
> ## Display it in green on the screen
> ## Mail alert to alerts@yourdomain.com with subject of the
> email
> ## being "----Snort IDS Alert----"
> ## Log in file /var/log/IDS-scans
>
>
> watchfor /Priority/
> # echo green_h
> mail andy@page55.com ,subject=--- Snort IDS Alert ---
> exec echo $0 >> /var/log/snort
>
> Any ideas, I've got to be sooooo close.....
>
> Thanks,
>
> Andy
> -----Original Message-----
> From: snort-users-admin@lists.sourceforge.net
> [mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of Andy
> : Saturday, September 18, 2004 8:01 PM
> To: snort-users@lists.sourceforge.net
> Subject: RE: [Snort-users] E-mail alerting
>
>
> Hi Prabu,
>
> I cannot find this file. Locate does not find any files named
> swatch_script.*
>
> Snort and Swatch are installed on the "tunes.page55.com" server,
> and the mailserver I want alerts to be sent to is another server called
> "page55.com"
>
> Do I need a mail client running on Tunes? Sendmail is there by
> default. I'm not sure how it works, but I'm guessing that Snort would use
> the default email client to send an email...
>
> Thankyou for your reply, I wish I could get you the script
info...
> I will continue hunting .....
>
> Andy
>
>
>
> -----Original Message-----
> From: prabu [mailto:prabu333@hotpop.com]
> Sent: Tuesday, September 14, 2004 1:08 AM
> To: Andy; snort-users@lists.sourceforge.net
> Subject: Re: [Snort-users] E-mail alerting
>
>
> Hi Andy,
> I was busy with my work for past three days,I didn't
even
> check snort list.Just now,I checked my mails,saw ur request.Well,I could
not
> get into a conclusion,what might be the error.Send the line in ur
> script(ie,/root/.swatch_script.3238 ),where the error points out.I
think,the
> mail-id was the problem
> for the error.
>
> First,R u running snort on "page555" server or "tunes"
> server.What is the hostname of the machine,where u have installed Snort
and
> Swatch.
> See,u can send alerts to the useraccounts on the machine,where
u
> have installed all thoses stuffs.So change the email-id in the
configuration
> file.
> This would help U,I hope.
>
> NOTE:
> /root/.swatch_script.3238 ----.this is the script that is
> generated automatically,while running swatch.
>
>
>
> Cheers,
> Prabu.S
> ----- Original Message -----
> From: Andy
> To: prabu ; snort-users@lists.sourceforge.net
> Sent: Monday, September 13, 2004 5:34 AM
> Subject: RE: [Snort-users] E-mail alerting
>
>
> Hi Prabu,
>
> Excellent post, it prompted me to check out swatch. I had to
> install the CPAN mods and the only thing different was that I had to
install
> Time-HiRes-1.63 instead of
> Time-HiRes-1.59
>
> They all installed ok.
>
> I'm trying to get swatch to read the config file. I followed
> the directions, but I'm getting an error:
>
> [root@tunes etc]# swatch --config-file=/etc/swatchrc.txt
> Global symbol "@page55" requires explicit package name at
> /root/.swatch_script.3238 line 125.
> Execution of /root/.swatch_script.3238 aborted due to
> compilation errors.
>
> I put the config file in /etc and copied it exactly from
> below, except of course I inserted my own email address.
>
> Do you know what this error means?
>
> What is the meaning of the line: /root/.swatch_script.3238
> line 125. (specifically the /root/ part.)
>
> Thanks,
>
> Drew
> -----Original Message-----
> From: snort-users-admin@lists.sourceforge.net
> [mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of prabu
> Sent: Saturday, September 04, 2004 12:30 AM
> To: snort-users@lists.sourceforge.net; Carlos M Ospina
> Subject: Re: [Snort-users] E-mail alerting
>
>
> Hello Carlos,
> You can use Swatch to get emails alerts from
> Snort.
>
> Installing Swatch,is just a child's play,very easier.I
have
> given below the necessary steps to configure Swatch.
> Hope,this will be useful.If you have,any queries,you can
> write to me.............................
>
>
> Prabu.S
>
>
>
>
>
########################################
####################################[vbc
ol=seagreen]
> ########################################
####
>
>
>
> CONFIGURATION STEPS TO SEND SNORT ALERTS AS E-MAIL:
>
>
>
> To receives Snort alerts as E-mail, one can follow the
> following steps:
>
> Swatch is the widely used open source
tool
> to enable E mail alerts in Snort. Swatch is a utility that monitors system
> log files, filters out
> unwanted data and takes specified actions (i.e., sending
> email, executing a script, etc.) based upon what it finds in the log
files.
> So I have used
> Swatch to configure snort to send the alerts as E-mail.
>
> NOTE:
> Here, it is considered that snort have been already
> installed on the host, in which this is to be tested.
>
> [a] Swatch installation:
>
> Download the swatch package, from
> http://sourceforge.net/project/show...?group_id=68627
> To install, simply issue the following commands:
>
> PERL Makefile.PL
> make
> make test
> make install
> make realclean
>
> Swatch installs just like a CPAN module. If you are not
> familiar with this process then you may want to read about it by issuing
the
> command:
>
> man ExtUtils::MakeMaker
>
> Use the perldoc command if your man cannot find the
> document.
>
> If you see messages like these:
>
> Warning: prerequisite Date::Calc 0 not found at (eval 1)
> line 219.
> Warning: prerequisite Date::Parse 0 not found at (eval 1)
> line 219.
> Warning: prerequisite File::Tail 0 not found at (eval 1)
> line 219.
> Warning: prerequisite Time::HiRes 1.12 not found at (eval
1)
> line 219.
>
>
> Then you need to install the CPAN module(s) that it
doesn't
> find, before you can use swatch.
> You can find these modules at http://search.cpan.org/.
>
> One must download following PERL modules from the site
> search.cpan.org
>
> 1.Bit-Vector-6.3
> 2.Date-Calc-5.3
> 3.DateManip-5.42a
> 4.File-Tail-0.98
> 5.Time-HiRes-1.59
> 6.TimeDate-1.16
>
> To install these PERL modules,one can follow the same
steps
> as said per Swatch,
> They are,
>
> PERL Makefile.PL
> make
> make test
> make install
> make realclean
>
> The Swatch binary will be installed at the /opt/perl/bin/
> directory
>
> Then create the swatch configuratiobn file.
>
> cat /etc/swatchrc.txt
>
> ========================================
==================
> # Swatch configuration file
>
> #
> #
> # swatch -c /etc/swatchrc -t /var/log/snort/alert
> #
> ### Snort Alerts
> ## Watch for entries containing the word
'Priority'
> in the snort alert file.
> ## Display it in green on the screen
> ## Mail alert to alerts@yourdomain.com with
subject
> of the email
> ## being "----Snort IDS Alert----"
> ## Log in file /var/log/IDS-scans
>
>
> watchfor /Priority/
> echo green_h
> mail addresses=youruseraccount@yourdomain.comt
> ,subject=--- Snort IDS Alert ---
> exec echo $0 >> /var/log/IDS-scans
>
>
> ========================================
====================
>
> THE FINAL STEPS:
>
> [a] Start Snort in NIDS mode:
>
> #./snort -c /snort/iexpress/snort/etc/snort.conf -l
> /var/log/snort.
>
> [b] Start swatch:
>
> cd /opt/perl/bin
> #./swatch --config-file=/etc/swatchrc.txt
>
> [c] Using Outlook Express:
>
> configure the User's POP3 account and you can recieve
the
> emails send by Swatch for each alerts based on the patter
> matching the "watchfor"
>
>
>
>
>
########################################
####################################[vbc
ol=seagreen]
> ##############################
>
>
> Cheers,
> Prabu.S
>
>
>
>
>
> ----- Original Message -----
> From: Carlos M Ospina
> To: snort-users@lists.sourceforge.net
> Sent: Friday, September 03, 2004 7:08 PM
> Subject: [Snort-users] E-mail alerting
>
>
>
> Is there anyway to configure, with acid, automatic[/vbcol]
alerts
> by e-mail? is ther eany manual about that?
>
> Thanks in advance.
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system
(http://www.grisoft.com).
> Version: 6.0.751 / Virus Database: 502 - Release Date:
> 9/2/2004
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system
(http://www.grisoft.com).
> Version: 6.0.760 / Virus Database: 509 - Release Date:
> 9/10/2004
>
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
|
|