How-To: Email Alerting for the Snort Intrusion Detection System
2009-07-03 14:21
357 查看
I wrote this brief how-to while setting up a distributed network intrusion detection system (NIDS) using open source Linux, Snort
and the MySQL database. One of the biggest challenges in using the open source Snort
IDS in a distributed environment is getting reliable email alerting
generated from it’s output. There are several ways to accomplish this
task and most depend on the specifics of the Snort
installation your using.
I prefer to have Snort
log results to a MySQL database either on the local host or remotely
and have my email alerting generated from there. The following tutorial
explains in simple terms how to assemble and implement the tools need
to extract meaningfull Snort
alerts from a MySQL database. Be aware that although I initially put
this together in 2004 using the now defunct “Sentinix Linux” the same
methods should work on a current setup that uses Snort
/MySQL, regardless of Linux flavor, as long as the dependancies are met.
With that in mind, the code is below the break, note that links to specific software and credits are given in the how-to.
#############################################################
# TEXT: SNORTSLINGER Email Alert HOW-TO FOR SENTINIX LINUX #
# WRITTEN BY: black_flag 8-25-04 #
# URL: http://blackflag.wordpress.com #
############################################################
.:PRELUDE:.
-Snortslinger is a Python script written by Ben Nelson (VENOM AT VENOM600.ORG)
It is intended as a form of email alerting for the Snort
IDS, Assuming you have Snort
logging to a MySQL database, Snortslinger (with the MySQLdb plugin)
will pull a 24 hour summary of events from MySQL and email them to the
address you specify.
.:NEEDFUL THINGS:.
-A fully functioning install of Sentinix Linux (or most other *nixs) with Snort
/MySQL available at:
http://sentinix.org or http://distrowatch.org
-The Snortslinger.py script V.1.3 available at:
http://www.venom600.org/code/SnortSlinger
-The MySQLdb module available at:
http://sourceforge.net/projects/mysql-python
-A functioning SMTP server to handle the mail
,
if you have an SMTP server on your domain use it, if not Postfix comes
bundled with Sentinix and you can set that up. I prefer Postfix but any
smtp server will do.
-A cron job scheduled to execute the snortslinger.py script daily or as needed.
.:NOTES:.
-The current release of SENTINIX ver.0.70.5 meets the /lib dependancy
requirements for both Snortslinger and the MySQLdb module.
.:ONWARD:.
.:MySQLdb Module:.
-The installation process is very straight-forward:
-copy the snortslinger.py script and the MySQLdb module to your directory of choice (/home/ will do)
-You can install the MySQLdb module with MySQL running if you like.
-Read the “mysql_plugin_faqs.txt” and take note of the installation command sequence:
$ tar xfz MySQL-python-1.0.0.tar.gz
$ cd MySQL-python-1.0.0
$ export mysqlversion=”4.0.20″
The setup.py will run it’s course and you should be ready to setup snortslinger at this point.
.:Snortslinger:.
-The following edits will have to be made to snortslinger.py (at a minimum) to get Snortslinger working for you.
-Edit the path in snortslinger.py from #!/usr/local/bin/python to #!/usr/bin/python (The path to Python in Sentinix)
-Also, in the “Variables” block of code:
# Variables
MailFrom = ‘SnortSlinger/ ‘
MailHost = ‘localhost’ ‘
MailCritSubject = ‘Snort
Alert !’
OptsShort = ‘hvsgSI:P:u:p:n:d:e:E:c:’
OptsLong = [ 'help', 'version', 'standard-out', 'gpg', 'sign', 'gpg-id=', 'gpg-pass=' /
'user=', 'password=', 'db-name=', 'db-host=', 'email=', 'crit-email=', /
'crit-level=' ]
Version = 1.3
-Edit the target email address in snortslinger.py from “root@localhost” to “you@yourdomain.com”.
#———– parseArgs – START ————————————–
def parseArgs( argv ):
OptList = { /
“help” : 0, /
“version” : 0, /
“stdout” : 0, /
“gpg” : 0, /
“sign” : 0, /
“gpg-id” : “”, /
“gpg-pass” : “”, /
“user” : “root”, /
“password” : “”, /
“dbname” : “snort
”, /
“dbhost” : “127.0.0.1″, /
“email” : “you@yourdomain.com”, /
“crit_email” : “you@yourdomain.com”, /
“crit_level” : int(”100″)
-You should also take note of the Snortslinger command line switches while testing your setup, they are included below:
Available Options:
-h, –help Print this usage statement and exit
-v, –version Print version and exit
-s, –standard-out Do NOT send email, just print output to STDOUT
-g, –gpg GPG sign before sending
-S, –sign GPG sign before sending (must use with -g),
-I, –gpg-id=ID Use ID to sign with (must use with -g)
-P, –gpg-pass=PASS Use PASS for GPG passphrase dialogue (must use with -g)
-u, –user=USER Connect to database with username: USER
[default: root]
-p, –password=PASS Connect to database with password: PASS
[default: ]
-n, –db-name=NAME Connect to database named: NAME
[default: snort
]
-d, –db-host=HOST Connect to database on host: HOST
[default: 127.0.0.1]
-e, –email=ADDR Send report to email address: ADDR
[default: root@localhost]
-E, –crit-email=ADDR Send critical alert message to: ADDR
[default: root@localhost]
-c, –crit-level=NUM If the number of alerts generated in an hour
exceeds NUM, send an alert to the email
address defined by -E/–crit-email
[default: 100]
.:Closing:.
-You should be able to “./snortslinger.py” and send an alert mail
successfully at this point, use a variation of the command line switches above to verify the desired functionality.
.:Acknowledgements:.
-Snortslinger: Ben Nelson, http://www.venom600.org/code/SnortSlinger
-MySQLdb module: Andy Dustman, http://sourceforge.net/projects/mysql-python
-Sentinix: Michel Blomgren, http://Sentinix.org
-This How-To Document: black_flag http://blackflag.wordpress.com
This entry was posted on January 24, 2006 at 9:11 pm and is filed under Code and Scripting
. You can follow any responses to this entry through the RSS 2.0
feed
You can leave a response
, or trackback
from your own site.
and the MySQL database. One of the biggest challenges in using the open source Snort
IDS in a distributed environment is getting reliable email alerting
generated from it’s output. There are several ways to accomplish this
task and most depend on the specifics of the Snort
installation your using.
I prefer to have Snort
log results to a MySQL database either on the local host or remotely
and have my email alerting generated from there. The following tutorial
explains in simple terms how to assemble and implement the tools need
to extract meaningfull Snort
alerts from a MySQL database. Be aware that although I initially put
this together in 2004 using the now defunct “Sentinix Linux” the same
methods should work on a current setup that uses Snort
/MySQL, regardless of Linux flavor, as long as the dependancies are met.
With that in mind, the code is below the break, note that links to specific software and credits are given in the how-to.
#############################################################
# TEXT: SNORTSLINGER Email Alert HOW-TO FOR SENTINIX LINUX #
# WRITTEN BY: black_flag 8-25-04 #
# URL: http://blackflag.wordpress.com #
############################################################
.:PRELUDE:.
-Snortslinger is a Python script written by Ben Nelson (VENOM AT VENOM600.ORG)
It is intended as a form of email alerting for the Snort
IDS, Assuming you have Snort
logging to a MySQL database, Snortslinger (with the MySQLdb plugin)
will pull a 24 hour summary of events from MySQL and email them to the
address you specify.
.:NEEDFUL THINGS:.
-A fully functioning install of Sentinix Linux (or most other *nixs) with Snort
/MySQL available at:
http://sentinix.org or http://distrowatch.org
-The Snortslinger.py script V.1.3 available at:
http://www.venom600.org/code/SnortSlinger
-The MySQLdb module available at:
http://sourceforge.net/projects/mysql-python
-A functioning SMTP server to handle the mail
,
if you have an SMTP server on your domain use it, if not Postfix comes
bundled with Sentinix and you can set that up. I prefer Postfix but any
smtp server will do.
-A cron job scheduled to execute the snortslinger.py script daily or as needed.
.:NOTES:.
-The current release of SENTINIX ver.0.70.5 meets the /lib dependancy
requirements for both Snortslinger and the MySQLdb module.
.:ONWARD:.
.:MySQLdb Module:.
-The installation process is very straight-forward:
-copy the snortslinger.py script and the MySQLdb module to your directory of choice (/home/ will do)
-You can install the MySQLdb module with MySQL running if you like.
-Read the “mysql_plugin_faqs.txt” and take note of the installation command sequence:
$ tar xfz MySQL-python-1.0.0.tar.gz
$ cd MySQL-python-1.0.0
$ export mysqlversion=”4.0.20″
The setup.py will run it’s course and you should be ready to setup snortslinger at this point.
.:Snortslinger:.
-The following edits will have to be made to snortslinger.py (at a minimum) to get Snortslinger working for you.
-Edit the path in snortslinger.py from #!/usr/local/bin/python to #!/usr/bin/python (The path to Python in Sentinix)
-Also, in the “Variables” block of code:
# Variables
MailFrom = ‘SnortSlinger/ ‘
MailHost = ‘localhost’ ‘
MailCritSubject = ‘Snort
Alert !’
OptsShort = ‘hvsgSI:P:u:p:n:d:e:E:c:’
OptsLong = [ 'help', 'version', 'standard-out', 'gpg', 'sign', 'gpg-id=', 'gpg-pass=' /
'user=', 'password=', 'db-name=', 'db-host=', 'email=', 'crit-email=', /
'crit-level=' ]
Version = 1.3
-Edit the target email address in snortslinger.py from “root@localhost” to “you@yourdomain.com”.
#———– parseArgs – START ————————————–
def parseArgs( argv ):
OptList = { /
“help” : 0, /
“version” : 0, /
“stdout” : 0, /
“gpg” : 0, /
“sign” : 0, /
“gpg-id” : “”, /
“gpg-pass” : “”, /
“user” : “root”, /
“password” : “”, /
“dbname” : “snort
”, /
“dbhost” : “127.0.0.1″, /
“email” : “you@yourdomain.com”, /
“crit_email” : “you@yourdomain.com”, /
“crit_level” : int(”100″)
-You should also take note of the Snortslinger command line switches while testing your setup, they are included below:
Available Options:
-h, –help Print this usage statement and exit
-v, –version Print version and exit
-s, –standard-out Do NOT send email, just print output to STDOUT
-g, –gpg GPG sign before sending
-S, –sign GPG sign before sending (must use with -g),
-I, –gpg-id=ID Use ID to sign with (must use with -g)
-P, –gpg-pass=PASS Use PASS for GPG passphrase dialogue (must use with -g)
-u, –user=USER Connect to database with username: USER
[default: root]
-p, –password=PASS Connect to database with password: PASS
[default: ]
-n, –db-name=NAME Connect to database named: NAME
[default: snort
]
-d, –db-host=HOST Connect to database on host: HOST
[default: 127.0.0.1]
-e, –email=ADDR Send report to email address: ADDR
[default: root@localhost]
-E, –crit-email=ADDR Send critical alert message to: ADDR
[default: root@localhost]
-c, –crit-level=NUM If the number of alerts generated in an hour
exceeds NUM, send an alert to the email
address defined by -E/–crit-email
[default: 100]
.:Closing:.
-You should be able to “./snortslinger.py” and send an alert mail
successfully at this point, use a variation of the command line switches above to verify the desired functionality.
.:Acknowledgements:.
-Snortslinger: Ben Nelson, http://www.venom600.org/code/SnortSlinger
-MySQLdb module: Andy Dustman, http://sourceforge.net/projects/mysql-python
-Sentinix: Michel Blomgren, http://Sentinix.org
-This How-To Document: black_flag http://blackflag.wordpress.com
This entry was posted on January 24, 2006 at 9:11 pm and is filed under Code and Scripting
. You can follow any responses to this entry through the RSS 2.0
feed
You can leave a response
, or trackback
from your own site.
相关文章推荐
- How to enable USB selective suspend and system wake in the UMDF driver for a USB device
- [原] XAF How to see and edit the time part in the DatePropertyEditor for the System.DateTime property
- CentOS 7 /RHEL 7: How To Change The System Locale
- How to move a datafile from ASM to the file system
- System.Security.Cryptography.CryptographicException: The data to be decrypted exceeds the maximum for this modulus of 128 bytes. (RSACryptoServiceProv
- How to Set the Ulimit Values for…
- How to avoid the detection of hidden regkey by hooking RegSaveKeyA
- How Can I Minimize a VI to an Icon on the Windows System Tray?
- C# How to get the system drive of remote server
- 【常见错误】Android工程出现unable to get system library for the project异常问题
- Android 如何在自定义界面上启用输入法 (How to enable inputmethod for the custom UI)
- How to use the System Restore API to save and to restore system data in Visual C++
- Android 如何在自定义界面上启用输入法 (How to enable inputmethod for the custom UI)
- [PHP]How to get the system info?
- How to set the width of columns?about chart control for .net
- How to Read and Analyze the Email Header Fields and Information about SPF, DKIM, SpamAssassin
- How to switch a photo from jpg to png, and how to resize the photo for mac?
- How to get the MouseEvent coordinates for an element that has CSS3 Transform?
- How to install Nola, the free accounting package for Linux @ JDJ
- How to set bmp for your UserControl in the toolbox