Logging to a Pager or Cell Phone

Problem

You want to send your Snort logs to a pager or cell phone.

Solution

First, configure the snort.conf to log alerts to syslog:

# alert_syslog: log alerts to syslog # ---------------------------------- # Use one or more syslog facilities as arguments. Win32 can also # optionally specify a particular hostname/port. Under Win32, the # default hostname is '127.0.0.1', and the default port is 514. # # [Unix flavours should use this format...] output alert_syslog: LOG_AUTH LOG_ALERT # # [Win32 can use any of these formats...] # output alert_syslog: LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT

Snort sends alerts to the syslog file with the snort: prefix. Use Swatch again to filter the log messages. Then edit /.swatchrc to send a page when a Snort event is added to the syslog:

watchfor /snort:/ exec /usr/local/bin/qpage -p Security_Admin `$0'

This sends a page to the number that is configured for Security_Admin. The $0 parameter includes the entire Snort alert as input to the qpage command. Next, make sure you run Swatch to watch for syslog messages in /var/log/messages:

[root@localhost root]# swatch -t /var/log/messages

Lastly, run Snort in NIDS mode to use the snort.conf file to invoke the syslog output plug-in:

[root@localhost snort-2.2.x]# snort -l /var/log/snort -c ./etc/snort.conf

Discussion

The best way to receive Snort alerts on a pager or cell phone is to use a third-party package, such as QuickPage. QuickPage is a free, Unix-compatible client/server software package that can send messages to an alphanumeric pager. You must configure Swatch to monitor alerts, and then use the exec command in the /.swatchrc file to initiate the paging program.

See Also

Recipe 5.8

http://www.qpage.org/