alert − Send dropped snort alerts via email to a list of recipients


alert [−DFhlpTv] [−c config] [−A time] [−d domain] [−f from] [−L level] [−M max] [−p port] [−P pidfile] [−r rcpt] [−s socket] [−S server] [−V area,level]


This program receives snort alert messages and some details about the alert from servsock(8) based on the priority of the alert.

The alerts are received via an unix domain socket. These alerts are collected by drop and send via email to a list of recipients. The sending is initalized either by a given maximum number of storeable alerts or on a periodical basis where all alerts are mailed (if there are any!).

The low water and high water marks are configured with servsock, so all alerts received via the unix sockets are assumed to be valid.


−A time

The time in seconds between two checks for alerts. A value of 0 disables this feature (not recommended!). The default value is 5 minutes.


Start the process in the background: daemon mode. This automatically activates option −l.

−c configfile

This defines the name of the configuration file to use with alert.

−d domain

The domain to use during connection to the mail server (HELO string).


Dump configuration to stdout on startup.

−f from

Set the sender of the alert mails to from.


Try to resolve the sensor name via DNS. Since the number of sensors are quite small, so to avoid overhead (high cpu consuming!) all resolved values are cached.


Display short help information and exit.


Use syslog instead of stdout. The facility is LOG_LOCAL0 and level LOG_INFO.

−m mode

Sets the umask to mode for the daemon mode. This affects the mode for the created unix socket and pid file. The mode can be either given in ascii, octal (with leading 0) or hex (with leading 0x).

−M maxcount

Number of tries to send mail, if within maxcount times no mail can be send the program exits.

−p port

Defines the port on which the mail server is reachable. This defaults to 25.

−P PIDfile

Filename to store the PID. Note: This file must be writeable by the user running drop!

−r recipient

Defines the recipient of the mails. This has to be a valid email address. Several options of −r are allowed to mention several recipients.

−s socketname

Defines the name of the unix socket opened for servsock. The default is /tmp/alert.

−S mailserver

The server for accepting (and relaying) mails. The default is to use localhost.


Output version information and exit.

−V area,level

Activate debug output for area (see README.debug) for informations up to level. A value of ALL activates all areas, level should be between 0 (disabled) and 9 (maximum output). This option can be used several times for different values.

−w dir

Sets the working dir in daemon mode to dir. The default is to use the current working directory. It is useful to choose "/" to avoid using mounted filesystems.


/tmp/drop (unix socket)


To run this program the standard way type:


To redirect all output to syslog:

drop −l


Dirk Geschke <Dirk@geschke−online.de>


If the program fails to connect to the mail server in five consecutive tries then drop will print all alerts to stdout or syslog. This limit can be adjusted with the −M option.
If a pid file exists the program checks for a running process with this id. If one is found the program exits. There is no check for which program is running, only if one runs!


drop.conf(5), servsock(8), alert(8)