How-To: Email Alerting for the Snort Intrusion Detection System

I wrote this brief how-to while setting up a distributed network intrusion detection system (NIDS) using open source Linux, Snort and the MySQL database. One of the biggest challenges in using the open source Snort IDS in a distributed environment is getting reliable email alerting generated from it’s output. There are several ways to accomplish this task and most depend on the specifics of the Snort installation your using.

I prefer to have Snort log results to a MySQL database either on the local host or remotely and have my email alerting generated from there. The following tutorial explains in simple terms how to assemble and implement the tools need to extract meaningfull Snort alerts from a MySQL database. Be aware that although I initially put this together in 2004 using the now defunct “Sentinix Linux” the same methods should work on a current setup that uses Snort/MySQL, regardless of Linux flavor, as long as the dependancies are met.

With that in mind, the code is below the break, note that links to specific software and credits are given in the how-to.

#############################################################
# TEXT: SNORTSLINGER Email Alert HOW-TO FOR SENTINIX LINUX #
# WRITTEN BY: black_flag 8-25-04 #
# URL: http://blackflag.wordpress.com #
############################################################

.:PRELUDE:.
-Snortslinger is a Python script written by Ben Nelson (VENOM AT VENOM600.ORG)
It is intended as a form of email alerting for the Snort IDS, Assuming you have Snort logging to a MySQL database, Snortslinger (with the MySQLdb plugin) will pull a 24 hour summary of events from MySQL and email them to the address you specify.

.:NEEDFUL THINGS:.
-A fully functioning install of Sentinix Linux (or most other *nixs) with Snort/MySQL available at:
http://sentinix.org or http://distrowatch.org
-The Snortslinger.py script V.1.3 available at:

http://www.venom600.org/code/SnortSlinger

-The MySQLdb module available at:

http://sourceforge.net/projects/mysql-python

-A functioning SMTP server to handle the mail, if you have an SMTP server on your domain use it, if not Postfix comes bundled with Sentinix and you can set that up. I prefer Postfix but any smtp server will do.
-A cron job scheduled to execute the snortslinger.py script daily or as needed.

.:NOTES:.
-The current release of SENTINIX ver.0.70.5 meets the /lib dependancy
requirements for both Snortslinger and the MySQLdb module.

.:ONWARD:.

.:MySQLdb Module:.
-The installation process is very straight-forward:
-copy the snortslinger.py script and the MySQLdb module to your directory of choice (/home/ will do)
-You can install the MySQLdb module with MySQL running if you like.
-Read the “mysql_plugin_faqs.txt” and take note of the installation command sequence:

$ tar xfz MySQL-python-1.0.0.tar.gz
$ cd MySQL-python-1.0.0
$ export mysqlversion=”4.0.20″

The setup.py will run it’s course and you should be ready to setup snortslinger at this point.

.:Snortslinger:.
-The following edits will have to be made to snortslinger.py (at a minimum) to get Snortslinger working for you.
-Edit the path in snortslinger.py from #!/usr/local/bin/python to #!/usr/bin/python (The path to Python in Sentinix)
-Also, in the “Variables” block of code:

# Variables
MailFrom = ‘SnortSlinger/ ‘
MailHost = ‘localhost’ ‘
MailCritSubject = ‘Snort Alert !’
OptsShort = ‘hvsgSI:P:u:p:n:d:e:E:c:’
OptsLong = [ 'help', 'version', 'standard-out', 'gpg', 'sign', 'gpg-id=', 'gpg-pass=' \
'user=', 'password=', 'db-name=', 'db-host=', 'email=', 'crit-email=', \
'crit-level=' ]
Version = 1.3

-Edit the target email address in snortslinger.py from “root@localhost” to “you@yourdomain.com”.

#———– parseArgs – START ————————————–
def parseArgs( argv ):
OptList = { \
“help” : 0, \
“version” : 0, \
“stdout” : 0, \
“gpg” : 0, \
“sign” : 0, \
“gpg-id” : “”, \
“gpg-pass” : “”, \
“user” : “root”, \
“password” : “”, \
“dbname” : “snort”, \
“dbhost” : “127.0.0.1″, \
“email” : “you@yourdomain.com”, \
“crit_email” : “you@yourdomain.com”, \
“crit_level” : int(“100″)

-You should also take note of the Snortslinger command line switches while testing your setup, they are included below:

Available Options:
-h, –help Print this usage statement and exit
-v, –version Print version and exit
-s, –standard-out Do NOT send email, just print output to STDOUT
-g, –gpg GPG sign before sending
-S, –sign GPG sign before sending (must use with -g),
-I, –gpg-id=ID Use ID to sign with (must use with -g)
-P, –gpg-pass=PASS Use PASS for GPG passphrase dialogue (must use with -g)
-u, –user=USER Connect to database with username: USER
[default: root]
-p, –password=PASS Connect to database with password: PASS
[default: ]
-n, –db-name=NAME Connect to database named: NAME
[default: snort]
-d, –db-host=HOST Connect to database on host: HOST
[default: 127.0.0.1]
-e, –email=ADDR Send report to email address: ADDR
[default: root@localhost]
-E, –crit-email=ADDR Send critical alert message to: ADDR
[default: root@localhost]
-c, –crit-level=NUM If the number of alerts generated in an hour
exceeds NUM, send an alert to the email
address defined by -E/–crit-email
[default: 100]

.:Closing:.
-You should be able to “./snortslinger.py” and send an alert mail successfully at this point, use a variation of the command line switches above to verify the desired functionality.

.:Acknowledgements:.
-Snortslinger: Ben Nelson, http://www.venom600.org/code/SnortSlinger
-MySQLdb module: Andy Dustman, http://sourceforge.net/projects/mysql-python
-Sentinix: Michel Blomgren, http://Sentinix.org
-This How-To Document: black_flag http://blackflag.wordpress.com

About these ads