Security — Installing and monitoring snort logs.

2010-06-04 2 min read Fedora Linux

Snort is a very good security tool to install if you are concerned about the security of your system. I find it really useful but the problem is I keep forgetting to monitor the logs so what did I do, I installed snort and configured cron to send to logs everyday, here’s how.

On fedora, snort is available in the repository but the rules are not. So to install snort just type in the following in a terminal:

sudo yum install snort

Once this is done, we need to install the snort rules. Download the snort rules from <a href="http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz" target="_blank">here. Extract the rules in /etc/snort/rules and you are done. Configure snort to start automatically using the system-config-service command or using any other way.

Now put a cron entry in the root user account to send the mail to any user at any time:

sudo crontab -e

add the following:

30 10 * * * cat /var/log/snort/alert |mail -s &#8221;Snort Logs `date`&#8221; && rm -f /var/log/snort/alert

Here I am using an alias to send the mail but you can use <a href="http://blog.amit-agarwal.co.in/2008/09/16/sendemail-using-perl-script-in-windows-or-linux-using-any-smtp-account/" target="_blank">sendEmail or <a href="http://blog.amit-agarwal.co.in/2008/09/13/configure-sendmail-for-smtp-relay-with-your-isp/" target="_blank">sendmail to do the same. Also note that I am deleting the file after sending the logs to make sure that next day I get only the fresh logs. Other option could be to mv it some other location with the datestamp. But that is completely up to you 🙂

comments powered by Disqus