Snort has many logging ability’s, syslog, unixsock, tcpdumps, csv, xml, unified and my favourite, database. All these logging methods are great if you are going to look through your logs regularly. But if your busy doing other things or maintaining snort isn’t you main priority how are you expected to keep up to date with the logs.
I find that having snort email me every morning with a simple report is a much better way of ensuring that no one is attacking my systems. It only takes me a minute to read through the report and if there is something I think needs looking at I can easily log into my database and get as much information on the event as I need. So how do you setup email reports, well if you installed Snort on a Debian based system it is already installed, just not setup correctly:
The default email reports are being sent to root@local address, and if your snort server isn’t running on your email server then your unlikely to ever see the report. First if you haven’t already you’ll need to install post-fix, for a simple setup just type:
sudo apt-get install postfix
choose Internet site. Then you’ll see another window asking for the domain name of the server:
Enter the domain name of you sever, if you don’t know what this is leave it at the default value. Now this will install and setup a simple email server. You wont be able to receive emails but you will be able to send them, and that’s all you need for email reports. To test this works correctly type:
sendmail email@example.com .
Remember the . this tells sendmail you have finished typing and will send the email. Now if this works correctly you can move on to configure Snort. You need to edit the snot.debian.conf file:
sudo nano /etc/snort/snort.debian.conf
And change the “DEBIAN_SNORT_STATS_RCPT=” line to include your email address, it should look something like this:
# This file is used for options that are changed by Debian to leave # the original lib files untouched. # You have to use "dpkg-reconfigure snort" to change them. DEBIAN_SNORT_STARTUP="boot" DEBIAN_SNORT_HOME_NET="[Your IP Address]/32" DEBIAN_SNORT_OPTIONS="" DEBIAN_SNORT_INTERFACE="eth0" DEBIAN_SNORT_SEND_STATS="true" DEBIAN_SNORT_STATS_RCPT="[YourEmail@YourDomain.com]" DEBIAN_SNORT_STATS_THRESHOLD="1"
Now save the file with ctrl+o and ctrl+x. Now snort will now email you when within the next 24 hours, and again every day until you turn the server off. You can change the frequency in with snort email you buy changing the “DEBIAN_SNORT_STATS_THRESHOLD=“1″”. Changing this setting to 2 will send an email every 12 hours or changing it to 24 will send one Evey hour.
Please leave any comments, feedback or questions.