#!/bin/bash
#
#       /usr/local/sbin/hogtail
#
# This is to answer a question posed to the honeypot list
# about mailing entire snort alerts, rather than one-liners,
# when using swatch. The -s switch is most elegant, but
# Marty's native output format is kinda pretty too.
#
# the sed here merely pulls the last block of text that
# is bounded by blank lines.  It is then mailed to some
# poor schlep who gets to read them all.  I'm not a sed
# guru, so I'm sure there is a more elegant way to do it.
#
# You'll need sed & mail for this to work.
# Feb 2002 - George Bakos alpinista@bigfoot.com

# test for the existential sed & mail
sedbin=`which sed` || exit 1
mailer=`which mail` || exit 1

# replace this with your own schlep's email address
# schlep=alpinista@bigfoot.com
schlep=root@localhost

# subject line of the email message
sub=OMG_swatchalert
logfil=/var/log/snort/alert

# Trust me here - this works:

$sedbin '/^$/!{;H;d;$G;};/^$/{;$!{;h;d;};$G;}' < $logfil |\
    grep -v '^$' |\
    $mailer -s $sub $schlep

exit 0