• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

email SNORT events?

Scheduled Pinned Locked Moved IDS/IPS
13 Posts 6 Posters 3.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    plandry64
    last edited by Nov 25, 2020, 12:32 AM

    Hi everyone,
    Sorry if this is a noob question, but I have Snort 4.1.2_2 running on my 2.4.5-RELEASE-p1 server.
    I need to send email alerts when SNORT generates a notice.
    What's the easiest way to do this?
    From initial research it looks like I need to send logged events off to a syslog or graylog server and set up notifications there.
    I'm hoping to avoid this. Is there any easier way to email out a event?
    Thanks,
    Paul

    B 1 Reply Last reply Nov 25, 2020, 1:40 AM Reply Quote 0
    • B
      bmeeks @plandry64
      last edited by bmeeks Nov 25, 2020, 1:53 AM Nov 25, 2020, 1:40 AM

      @plandry64 said in email SNORT events?:

      Hi everyone,
      Sorry if this is a noob question, but I have Snort 4.1.2_2 running on my 2.4.5-RELEASE-p1 server.
      I need to send email alerts when SNORT generates a notice.
      What's the easiest way to do this?
      From initial research it looks like I need to send logged events off to a syslog or graylog server and set up notifications there.
      I'm hoping to avoid this. Is there any easier way to email out a event?
      Thanks,
      Paul

      No, the package does not support emailing of alerts. And word from the wise to the newb ... be careful what you ask for ... ๐Ÿ™‚. You will very quickly tire of getting dozens to hundreds of emails daily from alerts (most of which will be false positives). Exactly what you get would be determined by which rules you enable and what kind of traffic (and false positives) your network generates.

      If you really want to get such notices via email, then you must export the logs to a third party product (and it should be on a separate server, not on the firewall).

      The generally accepted method for such alerting is to use a SIEM product that has artificial intelligence algorithms to process a number of IDS inputs (Snort logs, Event Logs from Windows clients, syslogs from UNIX clients, etc.) and make decisions based on what is collected. Things that rise to the appropriate level then generate the alert for a human to intervene. There are commercial products that do this, but they are very expensive and difficult to configure. ArcSight ESM is one such product. Have a look here: https://www.microfocus.com/en-us/products/siem-security-information-event-management/overview. But be ready and willing to shell out major bucks for that product. Solarwinds also has a similar product that starts at about 1/10th the cost ($2500) of ArcSight. Here is the Solarwinds offering: https://www.solarwinds.com/security-event-manager.

      What most folks do on pfSense is just review the ALERTS tab periodically.

      P 1 Reply Last reply Nov 25, 2020, 5:42 PM Reply Quote 1
      • N
        NogBadTheBad
        last edited by Nov 25, 2020, 7:54 AM

        If you run this through email reports after midnight it will email you the alerts from the previous day:-

        grep ^date -v-1d +"%D" /var/log/snort/snort_igb0*/alert ; echo

        You may need to change the igb0* depending on the interface.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        B P A 3 Replies Last reply Nov 25, 2020, 1:03 PM Reply Quote 1
        • B
          bmeeks @NogBadTheBad
          last edited by Nov 25, 2020, 1:03 PM

          @NogBadTheBad said in email SNORT events?:

          If you run this through email reports after midnight it will email you the alerts from the previous day:-

          grep ^date -v-1d +"%D" /var/log/snort/snort_igb0*/alert ; echo

          You may need to change the igb0* depending on the interface.

          @NogBadTheBad's suggestion is an excellent one to get a daily summary of alerts. You could even add this to your own cron task on the firewall. There is a cron package you can install to create and manage cron tasks.

          1 Reply Last reply Reply Quote 1
          • P
            plandry64 @bmeeks
            last edited by Nov 25, 2020, 5:42 PM

            @bmeeks Thanks for the reply. We are evaluating SIEM products nows, but that is a few months away, so I wanted to get a simple email notification going for our SOC-2 Compliance auditor. Something to show we are getting pushed notices as well as manually checking the status board. One of my team is configuring graylog and grafana to push out select email notifications. I was looking for something simpler so he didn't have to pull and all-nighter. :)
            Thanks again.
            Paul

            1 Reply Last reply Reply Quote 0
            • P
              plandry64 @NogBadTheBad
              last edited by Nov 25, 2020, 5:46 PM

              @NogBadTheBad Thanks I will give that a shot along with cron to automate daily notices. that should satisfy my SOC-2 auditors request until I get a full SIEM solution deployed.

              1 Reply Last reply Reply Quote 0
              • A
                AltaSense @NogBadTheBad
                last edited by AltaSense Feb 4, 2021, 4:52 PM Feb 4, 2021, 4:50 PM

                @nogbadthebad Thanks for the solution.

                To summarize for those discovering this thread, you need to install the mailreport package. Then go to Status -> Email Reports to set up a new report and schedule it to run as desired. I needed to tweak the command to work for me:

                grep ^`date -v -1d +"%D"` /var/log/snort/snort_em2*/alert ; echo
                
                1 Reply Last reply Reply Quote 0
                • S
                  serbus
                  last edited by Feb 4, 2021, 8:52 PM

                  Hello!

                  Another modification for alert summaries is :

                  grep ^`date -v -1d +"%D"` /var/log/snort/snort_igb0*/alert | awk -F, '{a[$5]++;} END{for(i in a) print a[i]" "i}' ; echo
                  

                  which outputs something like :

                  20  "ET DOS DNS Amplification Attack Possible Outbound Windows Non-Recursive Root Hint Reserved Port"
                  506  "(spp_reputation) packets blacklisted"
                  1426  "ET DOS DNS Amplification Attack Inbound"
                  1  "ET WEB_SERVER WGET Command Specifying Output in HTTP Headers"
                  2  "ET DOS Possible SSDP Amplification Scan in Progress"
                  13  "(spp_sip) Content length mismatch"
                  

                  John

                  Lex parsimoniae

                  A 1 Reply Last reply Feb 5, 2021, 10:26 PM Reply Quote 0
                  • A
                    AltaSense @serbus
                    last edited by Feb 5, 2021, 10:26 PM

                    @serbus - fantastic modification. This summary is way more useful than just the log output.

                    N 1 Reply Last reply Feb 9, 2021, 8:23 AM Reply Quote 0
                    • N
                      NogBadTheBad @AltaSense
                      last edited by NogBadTheBad Feb 9, 2021, 8:24 AM Feb 9, 2021, 8:23 AM

                      @altasense

                      A follow on from @serbus neat addition tack on sed 's/"//g' | sort -r to remove " and reverse sort the output.

                      grep ^`date -v-1d +"%D"` /var/log/snort/snort_igb0*/alert | awk -F, '{a[$5]++;} END {for(i in a) print a[i]" "i}' | sed 's/"//g' | sort -r ; echo
                      
                      3 ET POLICY DNS Update From External net
                      1 ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 100
                      1 ET TOR Known Tor Exit Node TCP Traffic group 100
                      1 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
                      1 (spp_sip) Content length mismatch
                      

                      Andy

                      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                      M 1 Reply Last reply Feb 15, 2021, 5:38 PM Reply Quote 1
                      • M
                        mikekoke @NogBadTheBad
                        last edited by Feb 15, 2021, 5:38 PM

                        @nogbadthebad
                        Excuse the question, but I would like to do the same thing with Suricata, I tried to modify the code but it doesn't work.
                        Can you tell me how I can make it work with suricata?
                        Thank you.

                        N S 2 Replies Last reply Feb 15, 2021, 6:50 PM Reply Quote 0
                        • N
                          NogBadTheBad @mikekoke
                          last edited by Feb 15, 2021, 6:50 PM

                          Sorry no idea about Suricata as I donโ€™t run it.

                          Andy

                          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                          1 Reply Last reply Reply Quote 0
                          • S
                            serbus @mikekoke
                            last edited by Feb 15, 2021, 10:22 PM

                            @mikekoke

                            Hello!

                            I am not a suricata user, but looking at the default log format from a test install, the following might be a crude starting point...

                            grep ^`date -v-1d +"%m/%d/%Y"` /var/log/suricata/suricata_igb0*/alerts.log | awk -F "\\[\\*\\*\\]" '{a[$2]++;} END {for(i in a) print a[i]" "i}' | sed 's/"//g' | sort -r ; echo
                            

                            The delimiters are not great, so there is some noise in the report.
                            This has not been tested.

                            John

                            Lex parsimoniae

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                              [[user:consent.lead]]
                              [[user:consent.not_received]]