#!/usr/bin/perl -w
#Add the sentence below (bear in mind that there is no Pound sign)
#to /etc/rsyslog.conf before restarting the rsyslog service.
#*.* @127.0.0.1:88
use Net::Syslogd;
use IO::Socket;
$|=1;
$email_server='192.168.0.100';
$email_domain='local.mail.com';
$email_sender='sender@mail.com';
$email_receiver='receiver@mail.com';
$syslogd_port=88;
sub sendmail($$){
$content = shift;
$subject = shift;
$sock = IO::Socket::INET->new(PeerAddr => $email_server,
PeerPort => 25,
Proto => 'tcp') || die "Cannot create Socket!\n";
$sock->send("HELO".$email_domain."\r\n");
$sock->recv($mem, 100, 0);
$sock->send("MAIL FROM: ".$email_sender."\r\n");
$sock->recv($mem, 100, 0);
$sock->send("RCPT TO: ".$email_receiver."\r\n");
$sock->recv($mem, 100, 0);
$sock->send("DATA\r\n");
$sock->recv($mem, 100, 0);
$sock->send("From: ".$email_sender."\r\n");
$sock->send("To: ".$email_receiver."\r\n");
$subject = "Subject: ".$subject."\r\n\r\n";
$sock->send($subject);
$content = $content."\r\n".'.'."\r\n";
$sock->send($content);
$sock->recv($mem, 100, 0);
$sock->send("QUIT\r\n");
$sock->recv($mem, 100, 0);
$sock->close();
}
$syslogd = Net::Syslogd->new(LocalPort=>$syslogd_port) or die "Error creating Syslogd listener: ", Net::Syslogd->error;
while (1) {
$message = $syslogd->get_message();
if (!defined($message)) {
printf "$0: %s\n", Net::Syslogd->error;
exit 1
} elsif ($message == 0) {
next
}
if (!defined($message->process_message())) {
printf "$0: %s\n", Net::Syslogd->error
} else {
$syslog_content = sprintf "%s\t%i\t%s\t%s\t%s\t%s\t%s\n",
$message->remoteaddr,
$message->remoteport,
$message->facility,
$message->severity,
$message->time,
$message->hostname,
$message->message;
#print $syslog_content;
if ($message->message=~/snort(.*): \[(.*)\] (.*) \[Classification:/){
print $syslog_content;
$alert=$3;
&sendmail($syslog_content, $alert);
}
}
}
No comments:
Post a Comment