Re: Snort & email
From: Bartosz Krajnik (bartek_at_bmk.bz)
Date: 05/11/05
- Previous message: Marc Heuse: "DIMVA 2005 - Call for Participation - IT-Security Conference in Vienna, 7-8 July"
- In reply to: Dan S Baxter: "Snort & email"
- Next in thread: ctooker_at_ti.parmapatas.net: "Re: Snort & email"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 11 May 2005 09:24:19 +0200 To: Dan S Baxter <Dan.Baxter@ipaper.com>, focus-ids@securityfocus.com
On 04-05-2005 at 10:16:37AM -0500, Dan S Baxter wrote:
>
> I'm setting up a Snort sensor in our environment and I am unable to
> determine how I might get emailed on alerts. I understand some are using
> Swatch, but we are not logging to syslogs but rather to a mysql db. What
> are others doing in this case?
>
> If I can't get it to alert me, it doesn't do me as much good, as I do not
> have the time to watch it 24/7.
>
It's very easy to implement.
Log scans (portscan.log) to FIFO file (man mkfifo).
Create proces to listen on this FIFO and to send You e-mail notification
after incident (I use FIFO in authfail daemon: www.bmk.bz/authfail).
So You get e-mail notification in the real time.
Best regards,
Bartek.
-- If You want to verify authentication of my e-mail visit: www.keyserver.net to get from there my public key.
- application/pgp-signature attachment: stored
- Previous message: Marc Heuse: "DIMVA 2005 - Call for Participation - IT-Security Conference in Vienna, 7-8 July"
- In reply to: Dan S Baxter: "Snort & email"
- Next in thread: ctooker_at_ti.parmapatas.net: "Re: Snort & email"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
