relay on snort alert into my mail server

  • can somebody help , how to configure snort alert send automatic into my email.

  • @nazrin said in relay on snort alert into my mail server:

    can somebody help , how to configure snort alert send automatic into my email.

    This is not supported with Snort. There is no capability for that within the Snort binary.

    The proper way to do this is to export Snort logs to a third-party log analysis and management system such as an ELK stack. Email alerts would be generated from that third-party log server.

    And one more piece of advice. This is something every newly minted IDS/IPS admin thinks they want until they have it. Then they realize that getting potentially hundreds of emails a day from Snort alerts generated by normal "Internet noise" on an interface like the WAN is not as useful as it at first appeared. It becomes synonymous with "the boy who cried wolf" because you get so much stuff that the important thing is buried in the unimportant, and you no longer really scrutinize the data.

    This is where tools such as a SIEM come into play and really shine. The more sophisticated ones have some level of artificial intelligence that analyzes alerts and patterns of related alerts to decide when something is worth reporting up the chain, and when it is not that big of a deal and can just be logged. ArcSight calls these "Use Cases", and they allow you to configure various sets of conditions, that when true, trigger an upstream alert that beckons a human analyst to have a look.

  • I use the following:-

    Screenshot 2020-02-27 at 18.30.30.png

    Runs at midnight and does a grep from the logs for anything with yesterdays date.

    It's a bit of a kludge but it works.

  • I'm going to try this.

    Does it generate a ton of logs?

    Edit - added to my daily and send test - works great!

    TYVM! 😀


  • @NogBadTheBad i have send test is work .. i will try next day . tq

Log in to reply