April 4, 2010

Snort Active Alering for Untangle 7.x

Snort Active Alerting allows email alerts to be sent to a pre-defined address in the event that Snort identifies and/or blocks a attack. This is useful in order to identify attacks as they occur rather than waiting for daily report logs.

These instructions are for enabling Snort Active Alerting in Untangle version 7.x and above –

1. Edit /etc/rsyslog.conf with the following:

Under: #### MODULES ####

Add:

$ModLoad ommail

Under: # provides UDP syslog reception, uncomment the following two lines:

#$ModLoad imudp
#$UDPServerRun 514

Under: #### GLOBAL DIRECTIVES ####, add the following action, changing to your information:

####ACTIONS####

##Note, SMTP server must be able to relay mail!##
$ActionMailSMTPServer localhost
$ActionMailSMTPPort 25
$ActionMailFrom [email protected]
$ActionMailTo [email protected]
$template mailSubject,”Untangle Alert On Server”
$template mailBody,”RSYSLOG Alert\r\nmsg=’%msg%'”
$ActionMailSubject mailSubject
if $syslogtag contains ‘Intrusion_Prevention’ then :ommail:;mailBody

2. Restart rsyslog

/etc/init.d/rsyslog restart

3. Your last step is to go to the administration section of Untangle and enable syslog monitoring. For the hostname put in localhost, for the port: 514, leave facility at 0 and change threshold to notice.