Greetings Facundo,
The email alerts are quite inadequate in my opinion as well. I have modified the emailalert.pl script to my liking to include source and destination ports, etc.
I would suggest doing the following in emailalert.pl:
Under the main loop (search for text: #Loop until there's no more alerts), add an if statement right below the $attackerstring if statement that reads as:
if (m/\(.*)\<\/port\>\<\/attacker\>/) {
$srcport = $1;
}
Add another under victim string that reads as:
if (m/\(.*)\<\/port\>\<\/victim\>\<\/attack\>/) {
$dstport = $1;
}
Now you have two new vars $srcport and $dstport.
Insert these into the "print(OUT" that is right before the blat execution. Mine reads:
print(OUT "\n$hostid $SigName $attackerstring SP $srcport $victimstring DP $dstport\n");
The Time variables are available as $hour $min and $sec. You can change that print statement to whatever text combination you would like.
Hope this helps.
-wP!