These two programs are very similar and are compiled out of the same source code. They provide an unix domain socket to receive alerts and try to send them via email to a list of defined recipients.
The alerts are buffered in memory before sending them via email. This can be triggered either on a periodically basis or if a given number of alerts is reached. Both variants can be activated separately but it is a good idea to use both. The time interval is useful to collect alerts instead of sending one separat mail for each alert which could result in a denial of service. The maximum number of alerts has the advantage to keep the used memory small and the emails in a readable size. Otherwise it could happen that too many alerts have to be stored in memory until an email could be send. So both options are useful in combination.
This program works in contrast to drop only with servsock and receives
alerts via the unix domain sockets of priority equal or higher
UnixPriority[1].
See also option -M of servsock.
The primary idea of this program is to have a separate mechanism to inform about critical alerts. Since it is very likely that the database is filled with a lot of less important alerts it is quite possible to either overlook the important alerts or to find them too late.
If the progam fails to send the emails it tries it again later. This
is done up to five times. This number can be adjusted via the command
line option -M or the
MaxCount keyword.
If it is not possible to send an email within this time the program simply exits. Another process should inform an operator about this problem.
| [1] | Be careful how you define the order of priorities. This has changed during the several versions of snort. So either 0 or 1 are the lowest or highest priority. You have to choose between these two variants! |