An alchemists view from the bar

Network Security Alchemy

Formatted Snort alerts in your e-mail

with 2 comments

… As if you don’t have enough email to read as it is.

People commonly expect Snort to provide many systems that are well out of scope of it’s design, including :

  • Event analysis UI’s
  • Real-time e-mail alerts
  • Graphical configuration tools
  • The kitchen sink
  • Reporting functions

The list goes on …

There are many external tools that provide all of these functions, please remember Snort is a high performance network intrusion detection/prevention engine and not a complete IPS solution alone. Many commercial offerings use Snort as the detection engine but bundle their own management and reporting framework around it, including <blatent plug> Sourcefire </blatant plug>.

Swatch is the most commonly used light-weight method of performing an active response when Snort raises an event, this included sending email. When I teach Snort classes I find that students quickly get to grip with how to use swatch, but still need a hand getting a formatted email out of the system.

To make this a more simple task, i threw together this simple script to provide nice email alerts with impact and advice on how to react to the event.

Let me know if you find it useful.


Written by leonward

May 24, 2008 at 6:02 pm

Posted in Security

Tagged with ,

2 Responses

Subscribe to comments with RSS.

  1. Where is the script then?


    June 10, 2013 at 10:00 am

    • Good question… I’ve no idea how the link got broken, or where the code is now.
      Sorry. My bad.


      August 15, 2014 at 9:07 am

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: