How-To: Email Alerting for the Snort Intrusion Detection System

I wrote this brief how-to while setting up a distributed network intrusion detection system (NIDS) using open source Linux, Snort
and the MySQL database. One of the biggest challenges in using the open source Snort
IDS in a distributed environment is getting reliable email alerting
generated from it’s output. There are several ways to accomplish this
task and most depend on the specifics of the Snort
installation your using.

I prefer to have Snort
log results to a MySQL database either on the local host or remotely
and have my email alerting generated from there. The following tutorial
explains in simple terms how to assemble and implement the tools need
to extract meaningfull Snort
alerts from a MySQL database. Be aware that although I initially put
this together in 2004 using the now defunct “Sentinix Linux” the same
methods should work on a current setup that uses Snort
/MySQL, regardless of Linux flavor, as long as the dependancies are met.

With that in mind, the code is below the break, note that links to specific software and credits are given in the how-to.

#############################################################

# TEXT: SNORTSLINGER Email Alert HOW-TO FOR SENTINIX LINUX #

# WRITTEN BY: black_flag 8-25-04 #

# URL: http://blackflag.wordpress.com #

############################################################

.:PRELUDE:.

-Snortslinger is a Python script written by Ben Nelson (VENOM AT VENOM600.ORG)

It is intended as a form of email alerting for the Snort
IDS, Assuming you have Snort
logging to a MySQL database, Snortslinger (with the MySQLdb plugin)
will pull a 24 hour summary of events from MySQL and email them to the
address you specify.

.:NEEDFUL THINGS:.

-A fully functioning install of Sentinix Linux (or most other *nixs) with Snort
/MySQL available at:
http://sentinix.org or http://distrowatch.org
-The Snortslinger.py script V.1.3 available at:
http://www.venom600.org/code/SnortSlinger
-The MySQLdb module available at:
http://sourceforge.net/projects/mysql-python
-A functioning SMTP server to handle the mail
,
if you have an SMTP server on your domain use it, if not Postfix comes
bundled with Sentinix and you can set that up. I prefer Postfix but any
smtp server will do.

-A cron job scheduled to execute the snortslinger.py script daily or as needed.

.:NOTES:.

-The current release of SENTINIX ver.0.70.5 meets the /lib dependancy

requirements for both Snortslinger and the MySQLdb module.

.:ONWARD:.

.:MySQLdb Module:.

-The installation process is very straight-forward:

-copy the snortslinger.py script and the MySQLdb module to your directory of choice (/home/ will do)

-You can install the MySQLdb module with MySQL running if you like.

-Read the “mysql_plugin_faqs.txt” and take note of the installation command sequence:

$ tar xfz MySQL-python-1.0.0.tar.gz

$ cd MySQL-python-1.0.0

$ export mysqlversion=”4.0.20″

The setup.py will run it’s course and you should be ready to setup snortslinger at this point.

.:Snortslinger:.

-The following edits will have to be made to snortslinger.py (at a minimum) to get Snortslinger working for you.

-Edit the path in snortslinger.py from #!/usr/local/bin/python to #!/usr/bin/python (The path to Python in Sentinix)

-Also, in the “Variables” block of code:

# Variables

MailFrom = ‘SnortSlinger/ ‘

MailHost = ‘localhost’ ‘

MailCritSubject = ‘Snort
Alert !’

OptsShort = ‘hvsgSI:P:u:p:n:d:e:E:c:’

OptsLong = [ 'help', 'version', 'standard-out', 'gpg', 'sign', 'gpg-id=', 'gpg-pass=' /

'user=', 'password=', 'db-name=', 'db-host=', 'email=', 'crit-email=', /

'crit-level=' ]

Version = 1.3

-Edit the target email address in snortslinger.py from “root@localhost” to “you@yourdomain.com”.

#———– parseArgs – START ————————————–

def parseArgs( argv ):

OptList = { /

“help” : 0, /

“version” : 0, /

“stdout” : 0, /

“gpg” : 0, /

“sign” : 0, /

“gpg-id” : “”, /

“gpg-pass” : “”, /

“user” : “root”, /

“password” : “”, /

“dbname” : “snort
”, /

“dbhost” : “127.0.0.1″, /

“email” : “you@yourdomain.com”, /

“crit_email” : “you@yourdomain.com”, /

“crit_level” : int(”100″)

-You should also take note of the Snortslinger command line switches while testing your setup, they are included below:

Available Options:

-h, –help Print this usage statement and exit

-v, –version Print version and exit

-s, –standard-out Do NOT send email, just print output to STDOUT

-g, –gpg GPG sign before sending

-S, –sign GPG sign before sending (must use with -g),

-I, –gpg-id=ID Use ID to sign with (must use with -g)

-P, –gpg-pass=PASS Use PASS for GPG passphrase dialogue (must use with -g)

-u, –user=USER Connect to database with username: USER

[default: root]

-p, –password=PASS Connect to database with password: PASS

[default: ]

-n, –db-name=NAME Connect to database named: NAME

[default: snort
]

-d, –db-host=HOST Connect to database on host: HOST

[default: 127.0.0.1]

-e, –email=ADDR Send report to email address: ADDR

[default: root@localhost]

-E, –crit-email=ADDR Send critical alert message to: ADDR

[default: root@localhost]

-c, –crit-level=NUM If the number of alerts generated in an hour

exceeds NUM, send an alert to the email

address defined by -E/–crit-email

[default: 100]

.:Closing:.

-You should be able to “./snortslinger.py” and send an alert mail
successfully at this point, use a variation of the command line switches above to verify the desired functionality.

.:Acknowledgements:.

-Snortslinger: Ben Nelson, http://www.venom600.org/code/SnortSlinger
-MySQLdb module: Andy Dustman, http://sourceforge.net/projects/mysql-python
-Sentinix: Michel Blomgren, http://Sentinix.org
-This How-To Document: black_flag http://blackflag.wordpress.com
This entry was posted on January 24, 2006 at 9:11 pm and is filed under Code and Scripting
. You can follow any responses to this entry through the RSS 2.0
feed
You can leave a response
, or trackback
from your own site.