Intrusion Alerts

Intrusion Alerts

I’ve written about Snort in previous Penguin Shell issues. It gets my vote as the best, most easily configured intrusion detector and packet sniffer for Linux. It’s lightweight, eaily configurable and, most importantly, very accurate in its interpretations of network activity. I’d recommend it anyone interested in securing their network connection and understanding what’s happening with that connection.

Today’s Tweak assumes you’ve installed and configured snort for your machine. It’s another script that will keep you informed about the status of your network connection. As always, let’s start with the script itself:


DATE=`/bin/date +%Y%m%d`

# open the snort alert log and mail the results
cat /var/log/snort/log/alert | mail [email protected] -s “$DATE Snort Alerts”

# archive the old snort alert
mv /var/log/snort/log/alert /var/log/snort/archive/$DATE.alert

# hangup the current snort process
killall -HUP snort

# go away

The steps in this script are pretty self-explanatory via the comments. In short, we’re opening the /var/log/snort/log/alert file with cat and piping the results to mail, using the DATE variable in the subject line. This sends the current alert log to me each evening.

Then, we archive the current alert log using mv, placing it in /var/log/snort/archive with the DATE variable as the first element of the file name.

Next, we kill all running snort processes. To be more accurate, we killall -HUP (hang up on) the processes. The killall -HUP command restarts the denoted running process with the original parameters. Restarting snort in this manner also creates a new alert log in the default snort log directory.

So, to summarize – mail the current log, archive the current log and restart the snort process, allowing it to create a new alert log.

As usual, a reference to this script resides in my crontab file to be run nightly.

The data in the snort alert log can be pretty startling. If your machine is always connected to the Internet, you’re seldom completely alone at your machine. I’ve seen as many as hundreds of expoit attempts, portscans and other tinkering on my machine over a 24-hour period. It’s definitely an eye-opener.

Which is, in the end, another good reason to use snort. Using snort rules, you can stop these crackers in their tracks. We’ll talk about snort rules soon … promise.