Solved

how to set an email alert for ftp and ssh login in snort

Posted on 2010-11-13
6
1,359 Views
Last Modified: 2013-11-29
Dear Experts:

I am having RHEL5 and snort is installed configured and working fine similary for front end installed base, this is also fine now iam looking for an email alert configuration in snort , the server is accessed from nay users through the ftp and some through the ssh, iam looking for an alert mail when somebody login through the ftp or ssh , please please help me how to configure this in the snort. somewhere i read it can be done in the local.rules file but i missed that doc, please help in this, thank you.
0
Comment
Question by:D_wathi
  • 4
  • 2
6 Comments
 
LVL 11

Accepted Solution

by:
Giladn earned 500 total points
ID: 34126991
you are looking for something like this:

alert tcp any any -> any any 21 (content:"user root";)

now you want an email alert which is NOT what snort can do, you need a program to monitor snort and alert via email
lie 'swatch' or 'logcheck'

try reading the following link for understanding the process :


http://blackflag.wordpress.com/2006/01/24/how-to-email-alerting-for-the-snort-intrusion-detection-system/

0
 

Author Comment

by:D_wathi
ID: 34127640
Sir, thanks for the help, now i understood alert is not dependent on snort .

By adding the following line in the .bash_profile, if any body login then iam getting mail.
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" user@example.com

similarly iam looking for an alert if the users login through the ftp i mean login as ftp, if any user login using ftp service then i should get an email alert, please help


0
 

Author Comment

by:D_wathi
ID: 34127704
Sir,

if we add the below line to the local.rules file will i get an email alert
 alert tcp any any -> any any 21 (content:"user root";)

Please suggest.
0
Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

 
LVL 11

Expert Comment

by:Giladn
ID: 34127713
In that way you will get an alert in log not via email, read whitin the link I've posted to make it email on alert..
0
 

Author Comment

by:D_wathi
ID: 34127877
Sir, Thanks for the reply , while going through the link got to know it requires SnortSlinger hence as mentioned in the link tried to access http://www.venom600.org/code/SnortSlinger but this link is not accessible, please suggest me frowm where i can download the SnortSlinger.

Thanks in advance.
0
 

Author Comment

by:D_wathi
ID: 34155264
Sir, now the snort , barnyard and swatch got installed successfully,  iam looking for the automatic email alert for the ftp logins ,with the help of experts exchange got to know with the below mentioned alert command automatic email alert is possible but i have no idea where to put these lines i mean in which file i have to add this, please help.

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER login"; flow:to_server,established,no_stream; content:"USER"; nocase; relative; pcre:"/^USER\s[^\n]{1,100}/smi"; classtype:log-login)


0

Featured Post

Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now