June 13, 2003

Real-time alerting with Snort, part 2 of 3

- by Jack Koziol -
Last time we introduced some issues to consider when implementing real-time alerting with Snort. Once you've considered the issues, it's time to put your planning into practice. Today we'll talk about how to use swatch to handle alerts. Next time we'll cover setting up distributed three-tier alerting.

This article is excerpted from the new book Intrusion Detection with Snort by Jack Koziol.

Deploying real-time alerting with a hybrid server/sensor is relatively easy. You need to install a mailing application, such as sendmail, to use real-time alerting via email, or another application for a pager or SMS gateway. There are numerous resources online and in print for installing and configuring sendmail. The documentation included with the source distribution is fairly detailed and should get you up and running.

After you have deployed sendmail, you should take care to secure it. Sendmail has a relatively miserable history of security exposures and should be properly hardened. After sendmail is secure, you need to configure Snort to send alerts to syslog via the output plugin alert_syslog. Open up snort.conf or barnyard.conf and enable the alert_syslog output plugin by uncommenting the configuration line. If you have Barnyard installed, you should make the changes to Barnyard rather than Snort. Your configuration line should read as follows:

output alert_syslog: LOG_AUTH LOG_ALERT

Now you should generate some suspicious traffic either manually or with NMAP. Check to make sure Snort is logging to syslog by opening the file /var/log/snort/alert. You should see a list of alerts with a priority assigned to each one, similar to the following:

[**] [1:1704:1 ] WEB--CGI cal_make.pl directory traversal attempt [**]
[Classification: Web Application Attack ] [Priority:1 ]
09/16-10:04:15.816116 ->
TCP TTL:128 TOS:0x0 ID:12817 IpLen:20 DgmLen:131 DF
***AP***Seq:0xDEFC8E6D Ack:0x1A519F30 Win:0x4470 TcpLen:20
[Xref =>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0463 ]
[Xref =>http://www.securityfocus.com/bid/2663 ]

[**] [1:1122:2 ] WEB--MISC /etc/passwd [**]
[Classification: Attempted Information Leak ] [Priority:2 ]
09/16-10:04:15.826116 ->
TCP TTL:128 TOS:0x0 ID:12832 IpLen:20 DgmLen:149 DF
***AP***Seq:0xDEFF5454 Ack:0x1A51AF74 Win:0x4470 TcpLen:20

[**] [1:1730:1 ] WEB--CGI ustorekeeper.pl directory traversal [**]
[Classification: Web Application Attack ] [Priority:1 ]
09/16-10:04:15.836116 192.168 1.1:3144 ->
TCP TTL:128 TOS:0x0 ID:12837 IpLen:20 DgmLen:141 DF
***AP***Seq:0xDEFFEE00 Ack:0x1AB7B107 Win:0x4470 TcpLen:20

[**] [1:1721:1 ] WEB--CGI adcycle access [**]
[Classification:sid ] [Priority:2 ]
09/16-10:04:15.846116 ->192.168 1.2:80
TCP TTL:128 TOS:0x0 ID:12857 IpLen:20 DgmLen:76 DF
***AP***Seq:0xDF035110 Ack:0x1A9AEFA4 Win:0x4470 TcpLen:20

Installing swatch

Now that you are logging alerts, you need to install swatch to monitor syslog. Swatch requires four Perl modules in order to function. They are:


Most Linux distributions include these modules. In case your flavor does not, you can get these modules from http://search.cpan.org. To install them, run through the following list of commands to compile and install the modules:

perl Makefile.PL
make test
make install
make realclean

After you have the modules installed, you can download swatch and install it by using the same commands you used to install the Perl modules.

Configuring swatch

Swatch is controlled from command-line arguments and configuration files, much like Snort and Barnyard. The configuration file for swatch is named .swatchrc. In the .swatchrc file you specify a string for swatch to monitor the log for and the action to take.

Some of the commands you could use to build real-time alerting include the following:

watchfor This is the required command that tells swatch what string to monitor for in the log. You can specify any string. For our purposes we will search only for strings that match a certain priority number. The following example is a watchfor command to monitor for alerts with a priority of 1.

watchfor /Priority \:1/

You can find a tutorial on building regular expressions that are used in pattern matching at http://japhy.perlmonk.org/book/.

echo The echo command echoes the matched line. This can be used to append alerting information into the body of the email, or to a text field in a pager.

exec This command executes an external program. If you have a paging program or any other script you want to execute, use exec followed by the full path to the program. You can add a $N or $0 to the exec command, which appends N lines or the entire alert to the executed command.

mail The mail option sends an email either to the local system or to a specified email address. You can store a group of email addresses in the alias file located at /etc/aliases and use the alias to represent the group of email addresses.

throttle This command limits the number of alerts to be acted on. When the throttle is set, alerts that match the string are not acted on in the specified time. You can use this to avoid stressing your mail server and overloading your account.

You can use other commands for more advanced features of swatch, but the preceding are all you need to send alerts via email or pager. With these commands you can install real-time alerting in many different manners.

Open up the .swatchrc file for editing and add the following commands. (You must escape the at-symbol with a backslash.):

watchfor /Priority \:1/
mail=user \@domain.com, subject=Snort Security Alert!

This configuration watches for any alert with a priority of 1 and emails user@domain.com with the alert. If you wanted to call a paging program you could replace the mail command with an exec command. QuickPage is a paging gateway that can be integrated with sendmail. To send emails via QuickPage to a text pager, you could add these commands:

watchfor /Priority \:1/
exec /usr/local/bin/qpage -f snort@domain.com -p IDS_admin '$0 '
throttle 00:00:10

This command calls the QuickPage program and sends a page to IDS_admin, from the email address snort@domain.com. It makes use of the $0 to send the entire alert to the qpage command. With the throttle command, swatch ignores any alert of priority level 1 for 10 seconds after the page has been sent. You could also use swatch to ring the local PC bell with this command:

watchfor /Priority \:2/
bell 5

This command rings the PC bell five times for each alert with a priority of 2. (This is sure to ruin any rapport you have developed with your co-workers.)

You are not limited to one command set; you could implement all three if you wanted to. After you have the .swatchrc file configured to alert you in a manner you see fit, you can move on to running swatch. Swatch has a few especially useful command-line options.

-c This option specifies the location of the .swatchrc file.

---input-record-separator With this command-line option you can specify the delimiting boundary for each alert. By default it is the newline character, \n.

-p This option is used to read information outputted directly from a command. You can use it to monitor the output of a command for specific events.

-t This option specifies the file to be monitored for security events.

---daemon Append this switch to enable daemon mode.

A sample swatch startup command might look like:

./swatch -c /usr/local/.swatchrc /var/log/snort/alert -daemon

This command runs swatch in daemon mode using the configuration file located at /usr/local/.swatchrc. It will monitor the syslog file at /var/log/. If you run this command, you will notice that swatch sends only the first line of the alert, as follows:

[**] [1:1704:1 ] WEB--CGI cal_make.pl directory traversal attempt [**]

It does so because the default input record separator is used, \n. If you would like to see additional meta information, such as IP addresses, time, TCP flags, and so on, you need to append additional lines of the alert.

To send the entire alert, make use of the tail command and swatch's piping feature:

./swatch -c /usr/local/.swatchrc -input-record-separator="\n \n "
-p="tail -f /var/log/snort/alert " -daemon

The -p switch watches the alert file with the tail command for new data. It uses a double carriage return, \n \n, for record separation. You should now receive the entire alert:

[**] [1:1704:1 ] WEB--CGI cal_make.pl directory traversal attempt [**]
[Classification:Web Application Attack ] [Priority:1 ]
09/16-10:04:15.816116 ->
TCP TTL:128 TOS:0x0 ID:12817 IpLen:20 DgmLen:131 DF
***AP***Seq:0xDEFC8E6D Ack:0x1A519F30 Win:0x4470 TcpLen:20
[Xref =>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0463 ]
[Xref =>http://www.securityfocus.com/bid/2663 ]

This completes our look at swatch installation and real-time monitoring for hybrid server/sensors. Next time we'll finish this series by implementing a three-tiered Snort alerting setup.

Jack Koziol is manager of
information security at a national health benefits company
headquartered in the western suburbs of Chicago.
He has been working in network security since
1998. He has held senior management
positions in the ecommerce, healthcare, and financial
industries, where he has architected large scale
Snort-based intrusion detection systems for production
environments. He has contributed to Information Security
Magazine, teaches "Hack and Defend" and CISSP review
sessions courses, and speaks on various information
security topics.


  • Security
Click Here!