Snort mailing list archives
snort-shadow - two great tastes that go together
From: Michael Aylor <maylor () swbanktx com>
Date: Wed, 9 May 2001 16:23:06 -0500
Dear Snort Community, Well, I'm posting this code in the hopes it does someone somewhere some good. Most of you real programmers will probably scoff at it, but it has worked well for me. The point of this code is to cause snort to look at Shadow Sensor tcpdump files that the sensor_driver.pl creates. Its supposed to be run as a cronjob after the sensor does its one hour tcpdump change out. I've configured my snort to write to a remote mysql database where I run ACID (which is just about the neatest things since sliced bread). Have a look. Let me know if you have questions/problems/comments. My small contribution to the open-source community.... Mike Aylor maylor () swbanktx com ----BEGIN CODE---- #!/usr/bin/perl # File=snortshadow.pl # Snort File Grabber Script # Fairly unsophisticated (my first perl script ever!) little program that # is designed to run on a Shadow Sensor as a cronjob. It will check the # current date and time, then subtract one hour from that, and try to find the # Shadow tcp.YYYYMMDDHH.gz file correlating to that time. It takes the file, # decompresses it to another folder, runs snort against the tcpdump file, then # removes the decompressed file. I wrote this as a means to automate having # snort send alert messages to a mysql database off of shadow tcpdump files. # # To me, it just didn't make sense to have snort run as a seperate process when # I already had a perfectly good Shadow tcpdump file right there. # # I'm well aware this script looks ugly, but its functional for the most part. # It's my hope that a real programmer will take this and write it better (add # more variables, some error checking, a debug log file, ya know, the good stuff). # # I did put in some checking in case it tries to pull a file at midnight on any # given day or month. I didn't bother putting in year checking, which means that # on January, 1 12:00am on the year 10000 AD, this script will fail (depending on # what state Linux kernels are in eight thousand years from now). I've only tested # it on RedHat 7.1. # # You are all welcome to adjust the script as you like and take credit for the pieces # you add, so long as you acknowledge me somewhere. Otherwise, consider this public # domain. # # Mike Aylor # maylor () swbanktx com # Environment stuff. Adjust the following 5 variables as you need. It's defaulted to # what a standard shadow sensor load out would be. The Shadow Sensor must already have # snort and gunzip on it. Also be sure to have already mkdir'd the Snortlogpath folder. # Path to Shadow Log Directory $Shadowlogpath = "/LOG/std"; # Path to Snort Log Directory (repository for soon to be created tcp.* and gunzip'd files $Snortlogpath = "/LOG/snort"; # Path to Snort binary $Snortbinpath = "/usr/local/bin"; # Name of .conf file for snort (Usually snort.conf) $Snortconf = "snort.conf"; # Path to Snort .conf file selected above $Snortconfpath = "/etc/snort"; # This worked for me. Hopefully it does for you. $dateyear = `date +%Y`; $datemonth = `date +%m`; $dateday = `date +%d`; $datehour = `date +%H`; # Variables I tacked on when trying to get the date stuff sorted out. You shouldn't ever # have to reference these. # $dateyear = "2001\n"; # $datemonth = "05\n"; # $dateday = "07\n"; # $datehour = "00\n"; # This truncates the date variables, removing the carriage return from the actual number. chop($dateyear, $datemonth, $dateday, $datehour); if ( $datehour == "00" ) { $datehourreal = "23"; if ($datemonth == "02" || $datemonth == "04" || $datemonth == "06" || $datemonth == "08" || $datemonth == "10") { if ($dateday == "01") { $datedayreal = "31"; $datemonthreal = $datemonth - 1; $dateyearreal = $dateyear; } else { $datedayreal = $dateday - 1; $datemonthreal = $datemonth; $dateyearreal = $dateyear; if ($datedayreal < "10") { $datedayreal = ("0$datedayreal"); } } } if ($datemonth == "05" || $datemonth == "07" || $datemonth == "09" || $datemonth == "11" || datemonth == "12") { if ($dateday == "01") { $datedayreal = "30"; $datemonthreal = $datemonth - 1; $dateyearreal = $dateyear; } else { $datedayreal = $dateday - 1; $datemonthreal = $datemonth; $dateyearreal = $dateyear; if ($datedayreal < "10") { $datedayreal = ("0$datedayreal"); } } } if ($datemonth == "01") { if ($dateday == "01") { $datedayreal = "31"; $datemonthreal = "12"; $dateyearreal = $dateyear - 1; } } if ($datemonth == "3") { if ($dateday == "01") { $datedayreal = "28"; $datemonthreal = "02"; $dateyearreal = $dateyear; } } } else { $dateyearreal = $dateyear; $datemonthreal = $datemonth; $datedayreal = $dateday; $datehourreal = $datehour - 1; if ($datehourreal < "10") { $datehourreal = ("0$datehourreal"); } } # if ($datemonthreal < 10) { # $datemonthreal = ("0$datemonthreal"); # print("DateMonthReal: $datemonthreal \n"); # } # if ($datedayreal < 10) { # $datedayreal = ("0$datedayreal"); # print("DateDayReal: $datedayreal \n"); # } # if ($datehourreal < 10) { # $datehourreal = ("0$datehourreal"); # } $datefile = "$dateyearreal$datemonthreal$datedayreal$datehourreal"; $tcpfile = "tcp.$datefile.gz"; $snortfile = "snort.$datefile.gz"; $snortgunzip = "snort.$datefile"; system("cp -u $Shadowlogpath/tcp.$datefile.gz $Snortlogpath/snort.$datefile.gz"); system("gunzip --force $Snortlogpath/$snortfile"); # I put the sleep comment in because I had trouble running snort against large files. # This sleep may or may not really be needed. system("sleep 3"); system("$Snortbinpath/snort -c $Snortconfpath/$Snortconf -r $Snortlogpath/$snortgunzip"); system("rm $Snortlogpath/$snortgunzip -rf"); CONFIDENTIALITY NOTICE: ************************************************************************ The information contained in this ELECTRONIC MAIL transmission is confidential. It may also be privileged work product or proprietary information. This information is intended for the exclusive use of the addressee(s). If you are not the intended recipient, you are hereby notified that any use, disclosure, dissemination, distribution [other than to the addressee(s)], copying or taking of any action because of this information is strictly prohibited. ************************************************************************
Current thread:
- snort-shadow - two great tastes that go together Michael Aylor (May 09)