How-To: Email Alerting for the Snort Intrusion Detection System

I wrote this brief how-to while setting up a distributed network intrusion detection system (NIDS) using open source Linux, Snort and the MySQL database. One of the biggest challenges in using the open source Snort IDS in a distributed environment is getting reliable email alerting generated from it’s output. There are several ways to accomplish this task and most depend on the specifics of the Snort installation your using.

I prefer to have Snort log results to a MySQL database either on the local host or remotely and have my email alerting generated from there. The following tutorial explains in simple terms how to assemble and implement the tools need to extract meaningfull Snort alerts from a MySQL database. Be aware that although I initially put this together in 2004 using the now defunct “Sentinix Linux” the same methods should work on a current setup that uses Snort/MySQL, regardless of Linux flavor, as long as the dependancies are met.

With that in mind, the code is below the break, note that links to specific software and credits are given in the how-to.

#############################################################
# TEXT: SNORTSLINGER Email Alert HOW-TO FOR SENTINIX LINUX #
# WRITTEN BY: black_flag 8-25-04 #
# URL: http://blackflag.wordpress.com #
############################################################

.:PRELUDE:.
-Snortslinger is a Python script written by Ben Nelson (VENOM AT VENOM600.ORG)
It is intended as a form of email alerting for the Snort IDS, Assuming you have Snort logging to a MySQL database, Snortslinger (with the MySQLdb plugin) will pull a 24 hour summary of events from MySQL and email them to the address you specify.

.:NEEDFUL THINGS:.
-A fully functioning install of Sentinix Linux (or most other *nixs) with Snort/MySQL available at:
http://sentinix.org or http://distrowatch.org
-The Snortslinger.py script V.1.3 available at:

http://www.venom600.org/code/SnortSlinger

-The MySQLdb module available at:

http://sourceforge.net/projects/mysql-python

-A functioning SMTP server to handle the mail, if you have an SMTP server on your domain use it, if not Postfix comes bundled with Sentinix and you can set that up. I prefer Postfix but any smtp server will do.
-A cron job scheduled to execute the snortslinger.py script daily or as needed.

.:NOTES:.
-The current release of SENTINIX ver.0.70.5 meets the /lib dependancy
requirements for both Snortslinger and the MySQLdb module.

.:ONWARD:.

.:MySQLdb Module:.
-The installation process is very straight-forward:
-copy the snortslinger.py script and the MySQLdb module to your directory of choice (/home/ will do)
-You can install the MySQLdb module with MySQL running if you like.
-Read the “mysql_plugin_faqs.txt” and take note of the installation command sequence:

$ tar xfz MySQL-python-1.0.0.tar.gz
$ cd MySQL-python-1.0.0
$ export mysqlversion=”4.0.20″

The setup.py will run it’s course and you should be ready to setup snortslinger at this point.

.:Snortslinger:.
-The following edits will have to be made to snortslinger.py (at a minimum) to get Snortslinger working for you.
-Edit the path in snortslinger.py from #!/usr/local/bin/python to #!/usr/bin/python (The path to Python in Sentinix)
-Also, in the “Variables” block of code:

# Variables
MailFrom = ‘SnortSlinger/ ‘
MailHost = ‘localhost’ ‘
MailCritSubject = ‘Snort Alert !’
OptsShort = ‘hvsgSI:P:u:p:n:d:e:E:c:’
OptsLong = [ 'help', 'version', 'standard-out', 'gpg', 'sign', 'gpg-id=', 'gpg-pass=' \
'user=', 'password=', 'db-name=', 'db-host=', 'email=', 'crit-email=', \
'crit-level=' ]
Version = 1.3

-Edit the target email address in snortslinger.py from “root@localhost” to “you@yourdomain.com”.

#———– parseArgs – START ————————————–
def parseArgs( argv ):
OptList = { \
“help” : 0, \
“version” : 0, \
“stdout” : 0, \
“gpg” : 0, \
“sign” : 0, \
“gpg-id” : “”, \
“gpg-pass” : “”, \
“user” : “root”, \
“password” : “”, \
“dbname” : “snort”, \
“dbhost” : “127.0.0.1”, \
“email” : “you@yourdomain.com”, \
“crit_email” : “you@yourdomain.com”, \
“crit_level” : int(“100″)

-You should also take note of the Snortslinger command line switches while testing your setup, they are included below:

Available Options:
-h, –help Print this usage statement and exit
-v, –version Print version and exit
-s, –standard-out Do NOT send email, just print output to STDOUT
-g, –gpg GPG sign before sending
-S, –sign GPG sign before sending (must use with -g),
-I, –gpg-id=ID Use ID to sign with (must use with -g)
-P, –gpg-pass=PASS Use PASS for GPG passphrase dialogue (must use with -g)
-u, –user=USER Connect to database with username: USER
[default: root]
-p, –password=PASS Connect to database with password: PASS
[default: ]
-n, –db-name=NAME Connect to database named: NAME
[default: snort]
-d, –db-host=HOST Connect to database on host: HOST
[default: 127.0.0.1]
-e, –email=ADDR Send report to email address: ADDR
[default: root@localhost]
-E, –crit-email=ADDR Send critical alert message to: ADDR
[default: root@localhost]
-c, –crit-level=NUM If the number of alerts generated in an hour
exceeds NUM, send an alert to the email
address defined by -E/–crit-email
[default: 100]

.:Closing:.
-You should be able to “./snortslinger.py” and send an alert mail successfully at this point, use a variation of the command line switches above to verify the desired functionality.

.:Acknowledgements:.
-Snortslinger: Ben Nelson, http://www.venom600.org/code/SnortSlinger
-MySQLdb module: Andy Dustman, http://sourceforge.net/projects/mysql-python
-Sentinix: Michel Blomgren, http://Sentinix.org
-This How-To Document: black_flag http://blackflag.wordpress.com

About these ads

19 Responses to “How-To: Email Alerting for the Snort Intrusion Detection System”

  1. [...] can also find self-rolled script options online. In general, however, it’s best for productivity, usability, and maintainability to [...]

  2. PHP Scripts…

    [...]How-To: Email Alerting for the Snort Intrusion Detection System « The Black Flag[...]…

  3. unlimited scripts…

    [...]How-To: Email Alerting for the Snort Intrusion Detection System « The Black Flag[...]…

  4. Hunterz Forums…

    [...]How-To: Email Alerting for the Snort Intrusion Detection System « The Black Flag[...]…

  5. green tea extract benefits…

    [...]How-To: Email Alerting for the Snort Intrusion Detection System « The Black Flag[...]…

  6. Somebody essentially help to make critically articles I might
    state. This is the first time I frequented your website page and thus far?

    I surprised with the research you made to create this
    actual submit extraordinary. Fantastic activity!

  7. Because the admin of this web page is working, no hesitation very
    quickly it will be famous, due to its quality contents.

  8. Super cute! Clara’s artwork combined with the patterned Washi tape almost makes all the box appear like it’s an
    embellished fabric one! Definitely filing this concept away
    money for hard times :)

  9. I every time used to study article in news papers but now
    as I am a user of web so from now I am using net for posts, thanks
    to web.

  10. Unquestionably consider that that you stated.
    Your favorite reason seemed to be at the web the easiest
    factor to remember of. I say to you, I certainly get irked at the same time as folks consider concerns that they plainly do not realize about.

    You controlled to hit the nail upon the top and also outlined out the entire thing without having side effect
    , other people can take a signal. Will probably be again to get more.
    Thank you

  11. I read this paragraph fully on the topic of the resemblance of most recent and preceding technologies, it’s amazing article.

  12. Do you have any video of that? I’d care to find out
    some additional information.

  13. A feature-rich option to harness creativity and concentration through the Alpha state is Alpha
    – Mind. So fit walking into your schedule wherever you can- during your lunch break, in the morning, or whenever it’s convenient for you.
    For convenience,I just eat the same foods everyday.

  14. Just desire to say your article is as amazing.

    The clearness in your post is simply excellent and i can assume you are an expert on this subject.
    Well with your permission allow me to grab your RSS feed to
    keep up to date with forthcoming post. Thanks a million and please continue
    the rewarding work.

  15. I’m not sure where you’re getting your information, but great
    topic. I needs to spend some time learning much more or understanding more.
    Thanks for fantastic information I was looking for this info for my mission.

  16. Por el precio será relativamente más caros que otras prendas de vestir, determinado principalmente por el material de la chaqueta, la chaqueta es el principal producto de la industria, por abajo y la pluma constituida de Down generalmente usado en alto grado blanco de plumas de ganso más del 90% o el 90 arriba% pato blanco abajo.

  17. I think you see me, I love this 13econ1211, That’s a nice post. May be u can go this way follow us.

  18. It is smart to actually make contact with a broker ahead of making the
    1st deposit that will put their customer support skills for
    the test. These are just some with the basics of binary options.

    The best brokers will offer different options from these categories.

  19. Are you talking about how to make binary options trading? How will I select the best broker.

    Regards

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: