alert

NAME
SYNTAX
DESCRIPTION
OPTIONS
FILES
EXAMPLES
AUTHORS
NOTES
SEE ALSO

NAME

alert − Send snort alerts via email to a list of recipients

SYNTAX

alert [−bDFhlpTv] [−c config] [−A time] [−d domain] [−f from] [−L level] [−m mode] [−M max][−p port] [−P pidfile] [−r rcpt] [−s socket] [−S server] [−V area,level] [−w dir]

DESCRIPTION

This program receives snort alert messages and some details about the alert from servsock(8) based on the priority of the alert.

The primary idea is to have a separate mechanism to inform about critical alerts.

The alerts are received via an unix domain socket. The alerts are collected by alert and send via email to a list of recipients. The sending is initalized either by a given maximum number of storeable alerts or on a periodical basis where all alerts are mailed (if there are any!).

The priority is configured with servsock, so all alerts received via the unix sockets are assumed to be valid, there is no additional filtering.

OPTIONS

−A time

The time in seconds between two checks for alerts. A value of 0 disables this feature (not recommended!). The default value is 5 minutes.

−b

Start the process in the background: daemon mode. This automatically activates option −l.

−c configfile

This defines the name of the configuration file to use with alert.

−d domain

The domain to use during connection to the mail server (HELO string).

−D

Dump configuration to stdout on startup.

−f from

Set the sender of the alert mails to from.

−F

Try to resolve the sensor name via DNS. Since the number of sensors are quite small, so to avoid overhead (high cpu consuming!) all resolved values are cached.

−h

Display short help information and exit.

−l

Use syslog instead of stdout. The facility is LOG_LOCAL0 and level LOG_INFO.

−M maxcount

Number of tries to send mail, if within maxcount times no mail can be send the program exits.

−m mode

Sets the umask to mode for the daemon mode. This affects the mode for the created unix socket and pid file. The mode can be either given in ascii, octal (with leading 0) or hex (with leading 0x).

−P PIDfile

Filename to store the PID. Note: This file must be writeable by the user running alert!

−p port

Defines the port on which the mail server is reachable. This defaults to 25.

−r recipient

Defines the recipient of the mails. This has to be a valid email address. Several options of −r are allowed to mention several recipients.

−s socketname

Defines the name of the unix socket opened for servsock. The default is /tmp/alert.

−S mailserver

The server for accepting (and relaying) mails. The default is to use localhost.

−v

Output version information and exit.

−V area,level

Activate debug output for area (see README.debug) for informations up to level. A value of ALL activates all areas, level should be between 0 (disabled) and 9 (maximum output). This option can be used several times for different values.

−w dir

Sets the working dir in daemon mode to dir. The default is to use the current working directory. It is useful to choose "/" to avoid using mounted filesystems.

FILES

/tmp/alert (unix socket)
alert.conf
/tmp/alert.pid

EXAMPLES

To run this program the standard way type:

alert

To redirect all output to syslog:

alert −l

To run it in daemon mode (syslog is automatically enabled):

alert −b

AUTHORS

Dirk Geschke <Dirk@geschke−online.de>

NOTES

If the program fails to connect to the mail server in five consecutive tries then alert will exit. This value can be adjusted with the −M option. There should be another program informing about the exit and the associated problem.
If a pid file exists the program checks for a running process with this id. If one is found the program exits. There is no check for which program is running, only if one runs!

This program is very similar to the drop(8) program.

SEE ALSO

alert.conf(5), servsock(8), drop(8)