How can I run a shell script on a snort alert?
I've pieced together enough documentation to get something working. The solution involves telling snort to log to syslog, and then setting up syslog-ng to trigger on the snort syslog traffic to run the given shellscript. Having snort spooling to disk, or running scripts, isn't ideal for high traffic loads so be advised. If you configure snort to only alert on certain traffic to keep the load down, you should be fine. Setting up and debugging syslog-ng can be a pita so I've included the neccesary bits to get that working. Just add them to the bottom of syslog-ng.conf. Hope it helps someone else. As a note, syslog is logging 3 copies of each message for some reason. No idea why.
I used some of the info here: http://www.mad-hacking.net/documentation/linux/reliability/logging/email-notification.xml
/etc/snort/snort.conf - configure snort to log to syslog
------------------------------------------------------------
# syslog
output alert_syslog: LOG_LOCAL6 LOG_ALERT
/etc/syslog/syslog-ng.conf - setup filters/destinations for alerts
------------------------------------------------------------
# snort filter - this only pays attention to syslog messages sent by the 'snort' program
filter f_snort
{
facility(local6) and match("snort" value ("PROGRAM"));
};
# optionally, this would send the snort message to a remote host running a syslog listener.
# I was running tcpdump to debug the whole setup so I use UDP protocol here so the
# message is just blasted out over the ether without needing to actually have a syslog
# listener setup anywhere
destination d_net
{
udp("10.10.10.1" port(514) log_fifo_size(1000) template(t_snort));
};
# this one sends the syslog message consisting of priority,time_in_seconds,host and syslog meesage.
#
destination d_prog
{
program("/root/bin/snort_script" template("<$PRI>$UNIXTIME $HOST $MSGONLY\n") );
};
# ..or use a pipe if you don't want syslog running scripts
destination d_prog_pipe
{
pipe("/root/bin/syslog-pipe" template("<$PRI>$DATE $HOST $MSGONLY\n") );
};
# finally, log the message out the snort parsing mechanism
log
{
source(s_src);
filter(f_snort);
destination(d_prog);
#destination(d_net);
};
/root/bin/snort_script
------------------------------------------------------------
#!/bin/bash
while read line; do
echo "$line" >> /tmp/snort.log
done