email SNORT events?
-
Hi everyone,
Sorry if this is a noob question, but I have Snort 4.1.2_2 running on my 2.4.5-RELEASE-p1 server.
I need to send email alerts when SNORT generates a notice.
What's the easiest way to do this?
From initial research it looks like I need to send logged events off to a syslog or graylog server and set up notifications there.
I'm hoping to avoid this. Is there any easier way to email out a event?
Thanks,
Paul -
@plandry64 said in email SNORT events?:
Hi everyone,
Sorry if this is a noob question, but I have Snort 4.1.2_2 running on my 2.4.5-RELEASE-p1 server.
I need to send email alerts when SNORT generates a notice.
What's the easiest way to do this?
From initial research it looks like I need to send logged events off to a syslog or graylog server and set up notifications there.
I'm hoping to avoid this. Is there any easier way to email out a event?
Thanks,
PaulNo, the package does not support emailing of alerts. And word from the wise to the newb ... be careful what you ask for ... . You will very quickly tire of getting dozens to hundreds of emails daily from alerts (most of which will be false positives). Exactly what you get would be determined by which rules you enable and what kind of traffic (and false positives) your network generates.
If you really want to get such notices via email, then you must export the logs to a third party product (and it should be on a separate server, not on the firewall).
The generally accepted method for such alerting is to use a SIEM product that has artificial intelligence algorithms to process a number of IDS inputs (Snort logs, Event Logs from Windows clients, syslogs from UNIX clients, etc.) and make decisions based on what is collected. Things that rise to the appropriate level then generate the alert for a human to intervene. There are commercial products that do this, but they are very expensive and difficult to configure. ArcSight ESM is one such product. Have a look here: https://www.microfocus.com/en-us/products/siem-security-information-event-management/overview. But be ready and willing to shell out major bucks for that product. Solarwinds also has a similar product that starts at about 1/10th the cost ($2500) of ArcSight. Here is the Solarwinds offering: https://www.solarwinds.com/security-event-manager.
What most folks do on pfSense is just review the ALERTS tab periodically.
-
If you run this through email reports after midnight it will email you the alerts from the previous day:-
grep ^
date -v-1d +"%D"
/var/log/snort/snort_igb0*/alert ; echoYou may need to change the igb0* depending on the interface.
-
@NogBadTheBad said in email SNORT events?:
If you run this through email reports after midnight it will email you the alerts from the previous day:-
grep ^
date -v-1d +"%D"
/var/log/snort/snort_igb0*/alert ; echoYou may need to change the igb0* depending on the interface.
@NogBadTheBad's suggestion is an excellent one to get a daily summary of alerts. You could even add this to your own cron task on the firewall. There is a
cron
package you can install to create and manage cron tasks. -
@bmeeks Thanks for the reply. We are evaluating SIEM products nows, but that is a few months away, so I wanted to get a simple email notification going for our SOC-2 Compliance auditor. Something to show we are getting pushed notices as well as manually checking the status board. One of my team is configuring graylog and grafana to push out select email notifications. I was looking for something simpler so he didn't have to pull and all-nighter. :)
Thanks again.
Paul -
@NogBadTheBad Thanks I will give that a shot along with cron to automate daily notices. that should satisfy my SOC-2 auditors request until I get a full SIEM solution deployed.
-
@nogbadthebad Thanks for the solution.
To summarize for those discovering this thread, you need to install the mailreport package. Then go to Status -> Email Reports to set up a new report and schedule it to run as desired. I needed to tweak the command to work for me:
grep ^`date -v -1d +"%D"` /var/log/snort/snort_em2*/alert ; echo
-
Hello!
Another modification for alert summaries is :
grep ^`date -v -1d +"%D"` /var/log/snort/snort_igb0*/alert | awk -F, '{a[$5]++;} END{for(i in a) print a[i]" "i}' ; echo
which outputs something like :
20 "ET DOS DNS Amplification Attack Possible Outbound Windows Non-Recursive Root Hint Reserved Port" 506 "(spp_reputation) packets blacklisted" 1426 "ET DOS DNS Amplification Attack Inbound" 1 "ET WEB_SERVER WGET Command Specifying Output in HTTP Headers" 2 "ET DOS Possible SSDP Amplification Scan in Progress" 13 "(spp_sip) Content length mismatch"
John
-
@serbus - fantastic modification. This summary is way more useful than just the log output.
-
A follow on from @serbus neat addition tack on sed 's/"//g' | sort -r to remove " and reverse sort the output.
grep ^`date -v-1d +"%D"` /var/log/snort/snort_igb0*/alert | awk -F, '{a[$5]++;} END {for(i in a) print a[i]" "i}' | sed 's/"//g' | sort -r ; echo
3 ET POLICY DNS Update From External net 1 ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 100 1 ET TOR Known Tor Exit Node TCP Traffic group 100 1 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 1 (spp_sip) Content length mismatch
-
@nogbadthebad
Excuse the question, but I would like to do the same thing with Suricata, I tried to modify the code but it doesn't work.
Can you tell me how I can make it work with suricata?
Thank you. -
Sorry no idea about Suricata as I don’t run it.
-
Hello!
I am not a suricata user, but looking at the default log format from a test install, the following might be a crude starting point...
grep ^`date -v-1d +"%m/%d/%Y"` /var/log/suricata/suricata_igb0*/alerts.log | awk -F "\\[\\*\\*\\]" '{a[$2]++;} END {for(i in a) print a[i]" "i}' | sed 's/"//g' | sort -r ; echo
The delimiters are not great, so there is some noise in the report.
This has not been tested.John