How-To: Email Alerting for the Snort Intrusion Detection System

I wrote this brief how-to while setting up a distributed network intrusion detection system (NIDS) using open source Linux, Snort

and the MySQL database. One of the biggest challenges in using the open source Snort

IDS in a distributed environment is getting reliable email alerting

generated from it’s output. There are several ways to accomplish this

task and most depend on the specifics of the Snort

installation your using.

I prefer to have Snort

log results to a MySQL database either on the local host or remotely

and have my email alerting generated from there. The following tutorial

explains in simple terms how to assemble and implement the tools need

to extract meaningfull Snort

alerts from a MySQL database. Be aware that although I initially put

this together in 2004 using the now defunct “Sentinix Linux” the same

methods should work on a current setup that uses Snort

/MySQL, regardless of Linux flavor, as long as the dependancies are met.

With that in mind, the code is below the break, note that links to specific software and credits are given in the how-to.

#############################################################

# TEXT: SNORTSLINGER Email Alert HOW-TO FOR SENTINIX LINUX #

# WRITTEN BY: black_flag 8-25-04 #

# URL: http://blackflag.wordpress.com #

############################################################

.:PRELUDE:.

-Snortslinger is a Python script written by Ben Nelson (VENOM AT VENOM600.ORG)

It is intended as a form of email alerting for the Snort

IDS, Assuming you have Snort

logging to a MySQL database, Snortslinger (with the MySQLdb plugin)

will pull a 24 hour summary of events from MySQL and email them to the

address you specify.

.:NEEDFUL THINGS:.

-A fully functioning install of Sentinix Linux (or most other *nixs) with Snort

/MySQL available at:

http://sentinix.org or http://distrowatch.org

-The Snortslinger.py script V.1.3 available at:

http://www.venom600.org/code/SnortSlinger

-The MySQLdb module available at:

http://sourceforge.net/projects/mysql-python

-A functioning SMTP server to handle the mail

,

if you have an SMTP server on your domain use it, if not Postfix comes

bundled with Sentinix and you can set that up. I prefer Postfix but any

smtp server will do.

-A cron job scheduled to execute the snortslinger.py script daily or as needed.

.:NOTES:.

-The current release of SENTINIX ver.0.70.5 meets the /lib dependancy

requirements for both Snortslinger and the MySQLdb module.

.:ONWARD:.

.:MySQLdb Module:.

-The installation process is very straight-forward:

-copy the snortslinger.py script and the MySQLdb module to your directory of choice (/home/ will do)

-You can install the MySQLdb module with MySQL running if you like.

-Read the “mysql_plugin_faqs.txt” and take note of the installation command sequence:

$ tar xfz MySQL-python-1.0.0.tar.gz

$ cd MySQL-python-1.0.0

$ export mysqlversion=”4.0.20″

The setup.py will run it’s course and you should be ready to setup snortslinger at this point.

.:Snortslinger:.

-The following edits will have to be made to snortslinger.py (at a minimum) to get Snortslinger working for you.

-Edit the path in snortslinger.py from #!/usr/local/bin/python to #!/usr/bin/python (The path to Python in Sentinix)

-Also, in the “Variables” block of code:

# Variables

MailFrom = ‘SnortSlinger/ ‘

MailHost = ‘localhost’ ‘

MailCritSubject = ‘Snort

Alert !’

OptsShort = ‘hvsgSI:P:u:p:n:d:e:E:c:’

OptsLong = [ 'help', 'version', 'standard-out', 'gpg', 'sign', 'gpg-id=', 'gpg-pass=' /

'user=', 'password=', 'db-name=', 'db-host=', 'email=', 'crit-email=', /

'crit-level=' ]

Version = 1.3

-Edit the target email address in snortslinger.py from “root@localhost” to “[email protected]”.

#———– parseArgs – START ————————————–

def parseArgs( argv ):

OptList = { /

“help” : 0, /

“version” : 0, /

“stdout” : 0, /

“gpg” : 0, /

“sign” : 0, /

“gpg-id” : “”, /

“gpg-pass” : “”, /

“user” : “root”, /

“password” : “”, /

“dbname” : “snort

”, /

“dbhost” : “127.0.0.1″, /

“email” : “[email protected]”, /

“crit_email” : “[email protected]”, /

“crit_level” : int(”100″)

-You should also take note of the Snortslinger command line switches while testing your setup, they are included below:

Available Options:

-h, –help Print this usage statement and exit

-v, –version Print version and exit

-s, –standard-out Do NOT send email, just print output to STDOUT

-g, –gpg GPG sign before sending

-S, –sign GPG sign before sending (must use with -g),

-I, –gpg-id=ID Use ID to sign with (must use with -g)

-P, –gpg-pass=PASS Use PASS for GPG passphrase dialogue (must use with -g)

-u, –user=USER Connect to database with username: USER

[default: root]

-p, –password=PASS Connect to database with password: PASS

[default: ]

-n, –db-name=NAME Connect to database named: NAME

[default: snort

]

-d, –db-host=HOST Connect to database on host: HOST

[default: 127.0.0.1]

-e, –email=ADDR Send report to email address: ADDR

[default: root@localhost]

-E, –crit-email=ADDR Send critical alert message to: ADDR

-c, –crit-level=NUM If the number of alerts generated in an hour

exceeds NUM, send an alert to the email

address defined by -E/–crit-email

[default: 100]

.:Closing:.

-You should be able to “./snortslinger.py” and send an alert mail

successfully at this point, use a variation of the command line switches above to verify the desired functionality.

.:Acknowledgements:.

-Snortslinger: Ben Nelson, http://www.venom600.org/code/SnortSlinger

-MySQLdb module: Andy Dustman, http://sourceforge.net/projects/mysql-python

-Sentinix: Michel Blomgren, http://Sentinix.org

-This How-To Document: black_flag http://blackflag.wordpress.com

feed

from your own site.