Snort Email Reports


Snort has many logging ability’s, syslog, unixsock, tcpdumps, csv, xml, unified and my favourite, database. All these logging methods are great if you are going to look through your logs regularly. But if your busy doing other things or maintaining snort isn’t you main priority how are you expected to keep up to date with the logs.

I find that having snort email me every morning with a simple report is a much better way of ensuring that no one is attacking my systems. It only takes me a minute to read through the report and if there is something I think needs looking at I can easily log into my database and get as much information on the event as I need. So how do you setup email reports, well if you installed Snort on a Debian based system it is already installed, just not setup correctly:

The default email reports are being sent to root@local address, and if your snort server isn’t running on your email server then your unlikely to ever see the report. First if you haven’t already you’ll need to install post-fix, for a simple setup just type:

sudo apt-get install postfix

you’ll see and window that looks like this: Postfix Config Choose

choose Internet site. Then you’ll see another window asking for the domain name of the server:

Postifx Domain Name Choose

Enter the domain name of you sever, if you don’t know what this is leave it at the default value. Now this will install and setup a simple email server. You wont be able to receive emails but you will be able to send them, and that’s all you need for email reports. To test this works correctly type:

sendmail yourmail@yourdomain.com
.

Remember the . this tells sendmail you have finished typing and will send the email. Now if this works correctly you can move on to configure Snort. You need to edit the snot.debian.conf file:

sudo nano /etc/snort/snort.debian.conf

And change the “DEBIAN_SNORT_STATS_RCPT=” line to include your email address, it should look something like this:

# This file is used for options that are changed by Debian to leave
# the original lib files untouched.
# You have to use "dpkg-reconfigure snort" to change them. 

DEBIAN_SNORT_STARTUP="boot"
DEBIAN_SNORT_HOME_NET="[Your IP Address]/32"
DEBIAN_SNORT_OPTIONS=""
DEBIAN_SNORT_INTERFACE="eth0"
DEBIAN_SNORT_SEND_STATS="true"
DEBIAN_SNORT_STATS_RCPT="[YourEmail@YourDomain.com]"
DEBIAN_SNORT_STATS_THRESHOLD="1"

Now save the file with ctrl+o and ctrl+x. Now snort will now email you when within the next 24 hours, and again every day until you turn the server off. You can change the frequency in with snort email you buy changing the “DEBIAN_SNORT_STATS_THRESHOLD=“1””. Changing this setting to 2 will send an email every 12 hours or changing it to 24 will send one Evey hour.



Please leave any comments, feedback or questions.
Thanks.

, , , , , , , , , , , , ,

  1. #1 by Ian.galvin on October 14, 2010 - 11:28 pm

    According to “dpkg-reconfigure snort”, the DEBIAN_SNORT_STATS_THRESHOLD value is for telling Snort the number of occurrences of each event to “tolerate” prior to logging. Have you tested to discover which is actually the case?

    • #2 by Tyler Allen on October 15, 2010 - 8:15 am

      You might be right there, I can’t remeber where i got the infomation for the DEBIAN_SNORT_STATS_THRESHOLD line, i’ll run some tests later to find out exsacly what it does and report back.

  2. #3 by ian.galvin on October 15, 2010 - 4:43 pm

    Interestingly, it also seems that Snort runs these reports out of cron.daily, and (at least on my system) using postfix. One would think, then, that it could be manually set to run hourly and to send reports to a mailing list defined in /etc/aliases, but neither seems to work for me. Have you tried either of these and met with any success?

Comments are closed.