Snort email report from cron job
Ian Smith
the.pond at dsl.pipex.com
Tue Dec 16 11:02:32 GMT 2003
OK this should be an improvement - I am now at least receiving mails
from the cron job.
The reports are cumulative ie. /var/log/snort file is not rotated. I
think this is what I want - YMMV.
--
------------------------------------------------------------------------
Ian Smith
Worst . . . signature . . . ever !
-------------- next part --------------
#!/bin/sh -e
#set -x
test -f /usr/bin/snort || exit 0
PATH=/bin:/usr/bin:/sbin:/usr/sbin
umask 066
SYSLOG_LOGFILE=`syslogd-listfiles --auth 2>/dev/null | head -1`
SYSLOG_LOGFILE_CUSTOM=/var/log/snort/alert
if [ -z "$SYSLOG_LOGFILE" ]; then
SYSLOG_LOGFILE=$SYSLOG_LOGFILE_CUSTOM
fi
CONFIG=/etc/config.d/snort/snort.sysconfig
. $CONFIG
export SNORT_STATS_RCPT SNORT_STATS_TRESHOLD
#test -f /var/log/snort/portscan.log && savelog -c 7 -p /var/log/snort/portscan.log >/dev/null
#find /var/log/snort -name "snort-*@*.log" -mtime +15 \
# | xargs --no-run-if-empty rm
for log in $SYSLOG_LOGFILE; do
TEMPFILE=/tmp/snort-stat
snort-stat -t $SNORT_STATS_TRESHOLD < $log > $TEMPFILE
if test -s $TEMPFILE; then
(echo "To: $SNORT_STATS_RCPT"; echo; cat $TEMPFILE) | \
mail -s "Snort Daily Intrusion Report" $SNORT_STATS_RCPT
fi
rm -f $TEMPFILE
done
exit 0
-------------- next part --------------
## snort configuration
SNORT_IFACE=eth0
SNORT_CFGFILE=/etc/snort.conf
#SNORT_OPTIONS="-deo -S RULE_PATH='/etc/snort'"
#SNORT_OPTIONS="-deo"
#SNORT_OPTIONS="-do"
SNORT_OPTIONS="-b -o -h 10.0.0.0/8 -A fast"
# Snarfed from Debian by ICS !!!!!
# This file is used for options that are changed by Debian to leave
# the original lib files untouched.
# You have to use "dpkg-reconfigure snort" to change them.
SNORT_STARTUP=boot
#SNORT_HOME_NET="192.168.0.0/16"
#SNORT_OPTIONS=" -i eth0"
SNORT_STATS_RCPT="root"
SNORT_STATS_TRESHOLD="1"
More information about the lunar
mailing list