Snort mailing list archives
Re: HOME_NET question...
From: Phil Wood <cpw () lanl gov>
Date: Tue, 23 Apr 2002 08:43:24 -0600
On Tue, Apr 23, 2002 at 01:55:32AM -0500, Bob Hillegas wrote:
On Mon, 22 Apr 2002, John Sage wrote: Date: Mon, 22 Apr 2002 19:43:56 -0700 From: John Sage <jsage () finchhaven com> To: Erek Adams <erek () theadamsfamily net> Cc: Bob Hillegas <bobhillegas () pdq net>, snort-users () lists sourceforge net Subject: Re: [Snort-users] HOME_NET question... On Mon, Apr 22, 2002 at 01:42:54PM -0700, Erek Adams wrote: > On Mon, 22 Apr 2002, Bob Hillegas wrote: <snippage> hmm.. I'm getting the -b binary logging into something like this: snort-0421 () 1853 log which is the date and time of the connection start; --- <snip> --- My binaries (now 1.8.6) are going to something like: 0423 () 01-bulk log
Your life will improve just a tiny bit if you apply the attached patch to spo_log_tcpdump.c There is not quite enough space for the name so you don't get no minutes. This statement applies to the current CVS for 1.8.7 BUILD 110.
by using: ruletype bulk { type log output log_tcpdump: bulk.log } bulk ip any any -> any any (msg:"Capture all ip packets") The problem with this format is that reconnections during the same hour overwrite previous ones. During dis-connect processing (/etc/ppp/ip-down -> /etc/sysconfig/network-scripts/ifdown-post -> /sbin/ifdown-local), I invoke a script to rename the file just created. Since I am NOT doing any alerts, (the above is my only rule) I need to know what HOME_NET=$ppp0_ADDRESS was during the capture for subsequent alert processing. For now I mkdir /var/log/snort/$HOME_NET/ and mv the bulk file using: ##################################################################### #!/bin/bash # /usr/local/scripts/movelog logger -t SCRIPT -p local0.info "++++ ${0} ${*} ++++" if [ $# -lt "1" ]; then echo "External Interface Device argument missing $0" logger -t ipchains -p local0.info "External Interface Device argument missing $0" exit 0 fi EXT_IFACE=$1 # Unpack local and remote ip addresses LOCAL_IP=`/sbin/ifconfig ${EXT_IFACE} | grep "inet addr:" | awk '{print $2}' | awk 'BEGIN { FS=":" } { print $2}' ` # Move snort.log & bulk.log files to correctly state time # MMDD () HH-bulk log --> YYYYMMDD-HHMMSS-packet.log # MMDD () HH-snort log --> YYYYMMDD-HHMMSS-alert.log # snort-MMDD () HHMM log --> YYYYMMDD-HHMMSS-packet.log # # -------------------------------------------------------------------- alert () { # Check that snort.conf exists. if [ -r ${SNORTCONF} -a -x ${SNORT} ]; then $SNORT -r ${TDIR}${LOCAL_IP}/${TSNAM} -u snort -g snort -c ${SNORTCONF2} fi ## end of snort.conf } # -------------------------------------------------------------------- TDIR=/var/log/snort/ if [ ! -d ${TDIR}${LOCAL_IP}/ ]; then /bin/mkdir ${TDIR}${LOCAL_IP}/ fi # -------------------------------------------------------------------- # Save copy of snort.conf with correct $HOME_NET SNORTCONF1="/etc/snort/snort.conf" SNORTCONF2="${TDIR}${LOCAL_IP}/snort.conf" SNORT="/usr/local/bin/snort" if [ ! -e ${TDIR}${LOCAL_IP}/snort.conf ]; then /usr/local/bin/gres "\$ppp0_ADDRESS" ${LOCAL_IP} ${SNORTCONF1} > ${SNORTCONF2} fi for fil in ${TDIR}*-bulk.log; do if [ -f ${fil} ]; then TSNAM=`find $fil -printf %AY%Am%Ad-%AH%AM%AS-packet.log ` mv -i $fil ${TDIR}${LOCAL_IP}/${TSNAM} alert fi done for fil in ${TDIR}*-snort.log; do if [ -f ${fil} ]; then TSNAM=`find $fil -printf %AY%Am%Ad-%AH%AM%AS-alert.log ` mv -i $fil ${TDIR}${LOCAL_IP}/${TSNAM} fi done for fil in ${TDIR}snort-*.log; do if [ -f ${fil} ]; then TSNAM=`find $fil -printf %AY%Am%Ad-%AH%AM%AS-packet.log ` mv -i $fil ${TDIR}${TSNAM} alert fi done # That's all :-) logger -t SCRIPT -p local0.info "++++ ${0} ${*} completed ++++" exit ##################################################################### This way I can reprocess files at later time. --- </snip> --- alerts go to this: alert184.full-0421 () 1853 log from this in snort.conf: # output alert_full output alert_full: /var/log/snort/alert184.full # keep as from 1.8.2 Are you not getting something similar? --- <snip> --- For alerts, I'm using the standard: output alert_syslog LOG_AUTH LOG_ALERT which gives MMDD () HH-snort log, which I also handle in movelog (above). --- </snip> --- I start snort from a line within the shell script that brings up my ipchains firewall: /usr/bin/snort184 -b -i ppp0 -o -c /usr/local/snort-1.8.4/snort184.conf & and in snort.conf I have: var HOME_NET $ppp0_ADDRESS --- <snip> --- When logging: SNORT -i ppp0 -u snort -g snort -c /etc/snort/tcpdump.conf -D and in tcpdump.conf: var HOME_NET $ppp0_ADDRESS See alert() function above for alerting. --- </snip> --- -- ------------------------------------------------- Bob Hillegas <bobhillegas () pdq net> _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov
Attachment:
patch
Description:
Current thread:
- HOME_NET question... Bob Hillegas (Apr 22)
- Re: HOME_NET question... Erek Adams (Apr 22)
- Re: HOME_NET question... John Sage (Apr 22)
- Re: HOME_NET question... Bob Hillegas (Apr 23)
- Re: HOME_NET question... Phil Wood (Apr 23)
- Re: HOME_NET question... John Sage (Apr 22)
- Re: HOME_NET question... Erek Adams (Apr 22)