1

I would like to email snort alerts from my Debian Lenny fw. Syslog is sending log messages from the firewalls to a central rsyslog.

On my central rsyslog, I got something like :

$ModLoad ommail
$ActionMailSMTPServer server.company.local
$ActionMailFrom rsyslog@company.local
$ActionMailTo syslog@company.net
$ActionExecOnlyOnceEveryInterval 1

$template mailSubject,"[SNORT] Alert from %hostname%"
$template mailBody,"Snort message\r\nmsg='%msg%'"
$ActionMailSubject mailSubject
if $msg regexp 'snort\[[0-9]*\]: \[[0-9]*:[0-9]*:[0-9]*].*' then ommail:;mailBody

But I doesn't get any mails, I even can trigger snort with something like ping -s 1400, it logs things like following but still no mail!

2010-01-08T09:25:58+00:00 Hostname snort[4429]: [1:499:4] ICMP Large ICMP Packet [Classification: Potentially Bad Traffic] [Priority: 2]: {ICMP} ip_dest -> ip_src
mgorven
  • 30,036
  • 7
  • 76
  • 121

4 Answers4

1

You are missing a colon at the front of ommail.

if $msg regexp 'snort[[0-9]]: [[0-9]:[0-9]:[0-9]].*' then :ommail:;mailBody

I cannot speak for the accuracy of your RegEx, but you can try 'contains' rather than 'regex' and try a simpler test to narrow the problem if it persists beyond the syntax mentioned above.

I would also recommend increasing $ActionExecOnlyOnceEveryInterval after sorting things out.

Aaron Copley
  • 12,345
  • 5
  • 46
  • 67
0

I've just tested rsyslog this week and encounter some bugs on it. I upgraded it to backuports and everythings works now. You may try it as it's a major upgrade.

Deimosfr
  • 594
  • 2
  • 5
0

I wrestled with this myself and can confirm that the following combination of rsyslog and syntax DOES work (I have it in production right now). I have Ubuntu 10.4.1 which ships with rsyslog 4.2 for some odd reason (it's really old). So after removing it and installing 4.6.4.1, I'm up and running.

Get rsyslog 4.6.4.1 from the Debian Squeeze repo here. Version 4.6.4 (or one or two earlier releases; can't recall right now) fixes a bug in the ActionExecOnlyOnceEveryInterval being ignored.

I use the following syntax for Snort and can confirm it's indeed working:

$IncludeConfig /etc/rsyslog.d/mail-settings.conf
$template mailSubjectSnort,"Snort Alert"
$template mailBodySnort,"this is the body, here's the host: %hostname%, here's the time    it was reported: %timereported% and heres the message: %msg%"
$ActionMailSubject mailSubjectSnort
# make sure we receive an email only once per hour
$ActionExecOnlyOnceEveryInterval 3600
:msg, contains, "some_string" :ommail:;mailBodySnort

I split up my various logging devices into separate log files with a corresponding .conf file. I also set the mail server directives in a file called mail-settings.conf that I include into the top of each conf.

I also use a unique name for each template variable (mailBodySnort, mailBodySquid, etc.) in each conf as it seems to be like a constant in the fact that each subsequent include of another .conf file doesn't overwrite the value assigned in a prior .conf.

gravyface
  • 13,947
  • 16
  • 65
  • 100
0

Debunking an old one but as the problem can still bite those running Debian Squeeze, even with rsyslog from backports (5.8.11-1~bpo60+2 at the moment), it may be worth sharing that thanks to @abeverley here, I could solve this problem resetting the value by "adding $ActionExecOnlyOnceEveryInterval 0 at the end of the email-notify rules".

For example, here is now my /etc/rsyslog.d/bonding.conf:

$template bondingMailSubject,"%hostname%: bonding Event"
$template bondingMailBody,"%msg%"
$ActionMailSubject bondingMailSubject
$ActionMailTo root
$ActionExecOnlyOnceEveryInterval 300
if $programname == 'bonding' and ($msg contains 'WARNING' or $msg contains 'CRITICAL') then :ommail:;bondingMailBody
$ActionExecOnlyOnceEveryInterval 0
Silopolis
  • 440
  • 2
  • 7