|
alert − Send dropped snort alerts via email to a list of recipients |
|
alert [−DFhlpTv] [−c config] [−A time] [−d domain] [−f from] [−L level] [−M max] [−p port] [−P pidfile] [−r rcpt] [−s socket] [−S server] [−V area,level] |
|
This program receives snort alert messages and some details about the alert from servsock(8) based on the priority of the alert. The alerts are received via an unix domain socket. These alerts are collected by drop and send via email to a list of recipients. The sending is initalized either by a given maximum number of storeable alerts or on a periodical basis where all alerts are mailed (if there are any!). The low water and high water marks are configured with servsock, so all alerts received via the unix sockets are assumed to be valid. |
|
−A time |
|
The time in seconds between two checks for alerts. A value of 0 disables this feature (not recommended!). The default value is 5 minutes. |
|
−b |
Start the process in the background: daemon mode. This automatically activates option −l. |
|
−c configfile |
|
This defines the name of the configuration file to use with alert. |
|
−d domain |
|
The domain to use during connection to the mail server (HELO string). |
|
−D |
Dump configuration to stdout on startup. |
|
−f from |
|
Set the sender of the alert mails to from. |
|
−F |
Try to resolve the sensor name via DNS. Since the number of sensors are quite small, so to avoid overhead (high cpu consuming!) all resolved values are cached. |
||
|
−h |
Display short help information and exit. |
||
|
−l |
Use syslog instead of stdout. The facility is LOG_LOCAL0 and level LOG_INFO. |
|
−m mode |
|
Sets the umask to mode for the daemon mode. This affects the mode for the created unix socket and pid file. The mode can be either given in ascii, octal (with leading 0) or hex (with leading 0x). |
|
−M maxcount |
|
Number of tries to send mail, if within maxcount times no mail can be send the program exits. |
|
−p port |
|
Defines the port on which the mail server is reachable. This defaults to 25. |
|
−P PIDfile |
|
Filename to store the PID. Note: This file must be writeable by the user running drop! |
|
−r recipient |
|
Defines the recipient of the mails. This has to be a valid email address. Several options of −r are allowed to mention several recipients. |
|
−s socketname |
|
Defines the name of the unix socket opened for servsock. The default is /tmp/alert. |
|
−S mailserver |
|
The server for accepting (and relaying) mails. The default is to use localhost. |
|
−v |
Output version information and exit. |
|
−V area,level |
|
Activate debug output for area (see README.debug) for informations up to level. A value of ALL activates all areas, level should be between 0 (disabled) and 9 (maximum output). This option can be used several times for different values. |
|
−w dir |
Sets the working dir in daemon mode to dir. The default is to use the current working directory. It is useful to choose "/" to avoid using mounted filesystems. |
|
/tmp/drop (unix socket) |
|
To run this program the standard way type: drop To redirect all output to syslog: drop −l |
|
Dirk Geschke <Dirk@geschke−online.de> |
|
If the program fails to connect to the mail server in
five consecutive tries then drop will print all
alerts to stdout or syslog. This limit can be adjusted with
the −M option. |
|
drop.conf(5), servsock(8), alert(8) |