Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort and MailReport

    Scheduled Pinned Locked Moved IDS/IPS
    1 Posts 1 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      dales
      last edited by

      I'm using the mailreport package to give me a daily snort status update.  Sharing the commands in case others want them or have things to add that I missed.

      After setting up the mail report to run once per day, I added the following commands

      /usr/bin/uptime

/bin/pgrep -l snort

/usr/bin/tail /var/log/snort/*/alert

/usr/bin/sed -n '/^Starting/{h;d;}; H;${x;p;}' /var/log/snort/snort_rules_update.log

      The first command shows the system uptime and load average.  Second prints snort PID (so I know it's still running).  Third command prints any snort alerts that have occurred since the last time I cleared the alert logs.  Final command prints the results of the last rule update.

      Full output looks like this:

      Current report: Daily Report

      Command output: System Uptime (/usr/bin/uptime)
      x:xx AM  up 8 days, 14:38, 1 users, load averages: 0.10, 0.19, 0.17
      Command output: Snort PID (/bin/pgrep -l snort)
      84461 snort
      Command output: Snort Alerts (/usr/bin/tail /var/log/snort/*/alert)

      Command output: Snort Rules Updates (/usr/bin/sed -n '/^Starting/{h;d;}; H;${x;p;}' /var/log/snort/snort_rules_update.log)
      Starting rules update…  Time: 2018-01-10 xx:xx:xx
      Downloading Snort VRT rules md5 file snortrules-snapshot-2990.tar.gz.md5...
      Checking Snort VRT rules md5 file...
      There is a new set of Snort VRT rules posted.
      Downloading file 'snortrules-snapshot-2990.tar.gz'...
      Done downloading rules file.
      Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
      Checking Emerging Threats Open rules md5 file...
      There is a new set of Emerging Threats Open rules posted.
      Downloading file 'emerging.rules.tar.gz'...
      Done downloading rules file.
      Extracting and installing Snort VRT rules...
      Using Snort VRT precompiled SO rules for FreeBSD-10-0 ...
      Installation of Snort VRT rules completed.
      Extracting and installing Emerging Threats Open rules...
      Installation of Emerging Threats Open rules completed.
      Copying new config and map files...
      Updating rules configuration for: LAN ...
      Restarting Snort to activate the new set of rules...
      Snort has restarted with your new set of rules.
      The Rules update has finished.  Time: 2018-01-10 xx:xx:xx

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.