Problem
You want to get real-time Snort alerts.
Solution
Use Pig Sentry to monitor Snort output and generate alerts:
[root@localhost root]# tail -f /var/log/snort/alert | perl pigsentry-1.2 [Sun Nov 7 14:40:38 2004] alert: New event: ICMP PING NMAP
Discussion
Pig Sentry is a lightweight Perl script that executes against the Snort alert log. It was written to handle a large volume of alert data in real time. Pig Sentry maintains a state table of recent alerts so it can alert on new events or alert of changes in trends or patterns of events.
Download the latest version of Pig Sentry from http://web.solv.com/tools/pigsentry/ or http://www.snort.org/dl/contrib/data_analysis/pigsentry/. The following example shows how to run Pig Sentry, assuming you're already running Snort in NIDS mode and logging alerts to /var/log/snort:
[root@localhost root]# tail -f /var/log/snort/alert | perl pigsentry-1.2 [Sun Nov 7 14:40:38 2004] alert: New event: ICMP PING NMAP
Performing an Nmap scan generated the alert shown in this example.
See Also
http://web.solv.com/tools/pigsentry/
Recipe 1.18
Ignoring Some Alerts |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index