Generating Real-Time Alerts

Problem

You want to get real-time Snort alerts.

Solution

Use Pig Sentry to monitor Snort output and generate alerts:

[root@localhost root]# tail -f /var/log/snort/alert | perl pigsentry-1.2 [Sun Nov 7 14:40:38 2004] alert: New event: ICMP PING NMAP

Discussion

Pig Sentry is a lightweight Perl script that executes against the Snort alert log. It was written to handle a large volume of alert data in real time. Pig Sentry maintains a state table of recent alerts so it can alert on new events or alert of changes in trends or patterns of events.

Download the latest version of Pig Sentry from http://web.solv.com/tools/pigsentry/ or http://www.snort.org/dl/contrib/data_analysis/pigsentry/. The following example shows how to run Pig Sentry, assuming you're already running Snort in NIDS mode and logging alerts to /var/log/snort:

[root@localhost root]# tail -f /var/log/snort/alert | perl pigsentry-1.2 [Sun Nov 7 14:40:38 2004] alert: New event: ICMP PING NMAP

Performing an Nmap scan generated the alert shown in this example.

See Also

http://web.solv.com/tools/pigsentry/

Recipe 1.18