Have the snort alerts sent to you by email

This script can be used not just for snort, but any kind of logs. It emails you just the changes that occured from last check in the logs.

For the script to run, you need logtail (which is part of the logcheck application). In Debian-based systems do:

$ apt-get install logtail

If it’s not in your distributions repositories, install logcheck from sources.

Now here’s the script:

 #!/bin/bash
## put the changes from the last check of the logs in /tmp/snort.txt

logtail /var/log/snort/alert > /tmp/snort.txt			

## create a variable, later to check if it's null or not

i=$(cat /tmp/snort.txt)

## If the value of i is not null, send an email with the contents of /tmp/snort
## to the adress specified. Replace the email adress "mail@example.com" with yours.
## Also you can change the subject of the emails (now it's "New attacks from snort log").

if [ -n "$i" ]; then
cat /tmp/snort.txt | mail -s "New attacks from snort log" mail@example.com
fi
######################### https://badan.wordpress.com ############################

That’s all. You can adjust it as you want.

Too make it functional, create a file called, for example, snortcheck.sh with the contents of this script. Save it in a directory, for example /root/scripts. Give it execution permissions:

$ chmod +x /root/scripts/snortcheck.sh

then insert a line in your /etc/crontab like that:

*/10 * * * *     root    /bin/bash  /root/scripts/snortcheck.sh

(if you have a different path to the script, for example /home/user/scripts , then adjust it).

That’s all!

If you have suggestions, suggest them!

Lasă un răspuns

Completează mai jos detaliile tale sau dă clic pe un icon pentru a te autentifica:

Logo WordPress.com

Comentezi folosind contul tău WordPress.com. Dezautentificare /  Schimbă )

Fotografie Google

Comentezi folosind contul tău Google. Dezautentificare /  Schimbă )

Poză Twitter

Comentezi folosind contul tău Twitter. Dezautentificare /  Schimbă )

Fotografie Facebook

Comentezi folosind contul tău Facebook. Dezautentificare /  Schimbă )

Conectare la %s

%d blogeri au apreciat asta: