email SNORT events?
-
@NogBadTheBad said in email SNORT events?:
If you run this through email reports after midnight it will email you the alerts from the previous day:-
grep ^
date -v-1d +"%D"
/var/log/snort/snort_igb0*/alert ; echoYou may need to change the igb0* depending on the interface.
@NogBadTheBad's suggestion is an excellent one to get a daily summary of alerts. You could even add this to your own cron task on the firewall. There is a
cron
package you can install to create and manage cron tasks. -
@bmeeks Thanks for the reply. We are evaluating SIEM products nows, but that is a few months away, so I wanted to get a simple email notification going for our SOC-2 Compliance auditor. Something to show we are getting pushed notices as well as manually checking the status board. One of my team is configuring graylog and grafana to push out select email notifications. I was looking for something simpler so he didn't have to pull and all-nighter. :)
Thanks again.
Paul -
@NogBadTheBad Thanks I will give that a shot along with cron to automate daily notices. that should satisfy my SOC-2 auditors request until I get a full SIEM solution deployed.
-
@nogbadthebad Thanks for the solution.
To summarize for those discovering this thread, you need to install the mailreport package. Then go to Status -> Email Reports to set up a new report and schedule it to run as desired. I needed to tweak the command to work for me:
grep ^`date -v -1d +"%D"` /var/log/snort/snort_em2*/alert ; echo
-
Hello!
Another modification for alert summaries is :
grep ^`date -v -1d +"%D"` /var/log/snort/snort_igb0*/alert | awk -F, '{a[$5]++;} END{for(i in a) print a[i]" "i}' ; echo
which outputs something like :
20 "ET DOS DNS Amplification Attack Possible Outbound Windows Non-Recursive Root Hint Reserved Port" 506 "(spp_reputation) packets blacklisted" 1426 "ET DOS DNS Amplification Attack Inbound" 1 "ET WEB_SERVER WGET Command Specifying Output in HTTP Headers" 2 "ET DOS Possible SSDP Amplification Scan in Progress" 13 "(spp_sip) Content length mismatch"
John
-
@serbus - fantastic modification. This summary is way more useful than just the log output.
-
A follow on from @serbus neat addition tack on sed 's/"//g' | sort -r to remove " and reverse sort the output.
grep ^`date -v-1d +"%D"` /var/log/snort/snort_igb0*/alert | awk -F, '{a[$5]++;} END {for(i in a) print a[i]" "i}' | sed 's/"//g' | sort -r ; echo
3 ET POLICY DNS Update From External net 1 ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 100 1 ET TOR Known Tor Exit Node TCP Traffic group 100 1 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 1 (spp_sip) Content length mismatch
-
@nogbadthebad
Excuse the question, but I would like to do the same thing with Suricata, I tried to modify the code but it doesn't work.
Can you tell me how I can make it work with suricata?
Thank you. -
Sorry no idea about Suricata as I don’t run it.
-
Hello!
I am not a suricata user, but looking at the default log format from a test install, the following might be a crude starting point...
grep ^`date -v-1d +"%m/%d/%Y"` /var/log/suricata/suricata_igb0*/alerts.log | awk -F "\\[\\*\\*\\]" '{a[$2]++;} END {for(i in a) print a[i]" "i}' | sed 's/"//g' | sort -r ; echo
The delimiters are not great, so there is some noise in the report.
This has not been tested.John