Logging to Email

Problem

You want to send your Snort logs to email.

Solution

First, configure snort.conf to log alerts to syslog:

# alert_syslog: log alerts to syslog # ---------------------------------- # Use one or more syslog facilities as arguments. Win32 can also # optionally specify a particular hostname/port. Under Win32, the # default hostname is '127.0.0.1', and the default port is 514. # # [Unix flavours should use this format...] output alert_syslog: LOG_AUTH LOG_ALERT # # [Win32 can use any of these formats...] # output alert_syslog: LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT

Snort sends alerts to the syslog file with the snort: prefix. Edit /.swatchrc to send an email when a Snort event is added to the syslog:

watchfor /snort:/ mail security@company.com,subject=Snort Alert!

Next, make sure you run Swatch to watch for syslog messages in /var/log/messages (some distributions use /var/log/syslog):

[root@localhost root]# swatch -t /var/log/messages

Lastly, run Snort in NIDS mode to use the snort.conf file to invoke the syslog output plug-in:

[root@localhost snort-2.2.x]# snort -l /var/log/snort -c ./etc/snort.conf

 

Discussion

The easiest way to receive Snort alerts via email is to configure Swatch (available at http://swatch.sourceforge.net/) to monitor syslog and send an email when a Snort event is produced. Swatch is a log-monitoring utility that can filter messages from logfiles to display or log elsewhere. Syslog messages are one line, whereas Snort alert files are multiple lines and often produce a separate email for each line. Swatch uses sendmail, the default mail server on most Unix platforms, to send the email alerts. You must have sendmail configured and running on your syslog system to send emails.

Configuring an outbound-only sendmail server is a simple matter of disabling the port 25/tcp listener. This prevents an internal attack from compromising your syslog server through a sendmail vulnerability.

On Red Hat platforms, simply edit the file /etc/sysconfig/sendmail and change the line DAEMON=yes to DAEMON=no.

On BSD platforms or custom sendmail configurations, use the following command:

sendmail -q 5

This runs sendmail without a daemon listener and pushes out mail in five minute intervals (-q 5). All mail that's located on the machine (your syslog server) will be sent out in five minute intervals without leaving a port open for internal attack.

One point to remember is that if configured incorrectly, logging IDS alerts to email can quickly create a denial of service on your mail server.

See Also

Recipe 1.18

Recipe 5.8

http://swatch.sourceforge.net/

Logging to a Pager or Cell Phone

Категории