Peter Lange <peter.lange@antaris.de> wrote:
we use snort as Intrusion detection. snort logs it's alerts to syslog or another file. We would like to configure the system that it sends in realtime an e-mail and/or a sms to the admin if an alert occurs. is
Hi, from http://www.clark.net/~roesch/security.html#faq (snort-FAQ) Q9. I'd like Snort to be able to automatically respond to events with automated firewall configuration/e-mail alerts/external program execution, when will it do that? A9. Never. :) There are some pretty serious performance and security issues associated with performing the functions described above, and a better solution already exists. I recommend using swatch or logsurfer to handle performing functions like these. They are made specifically to monitor log files and perform actions based upon the data contained within those files. To have Snort spawn and execute external during alert situations would slow the performance of the system, as well as risk executing an external program from from a process running with root priveleges. So, next time please read the FAQ first. Martin -- martin.peikert@innominate.de system engineer innominate AG clustering & security networking people tel: +49.30.308806-0 fax: -77 http://innominate.de