Snort mailing list archives
Re: snortstat_pl
From: David Guimaraes <skysbsb () gmail com>
Date: Thu, 3 Dec 2009 13:14:42 -0200
The problem is that snort_stat use "snort" signature in the snort alert file
to recover information... but barnyard is the autor of the alert message,
so, in the alert file generated by barnyard will be:
Dec 3 06:24:03 debian *barnyard*: [1:2050:14] SQL version overflow attempt
[Classification: Attempted Administrator Privilege Gain] [Priority: 1] {UDP}
222.47.22.18:2285 -> x.x.x.x:1434
you see?
So, to resolve this problem, u have to edit the snort_stat.pl file like this
patch:
#### PATCH BEGIN ####
--- snort_stat.pl 2009-12-03 13:12:51.000000000 -0200
+++ snort_stat_modified.pl 2009-12-03 13:11:24.000000000 -0200
@@ -135,7 +135,7 @@
# This is syslog format
if ( $_ =~ m/^(\w{3}) \s+ (\d+) \s (\d+)\:(\d+)\:(\d+)\s
- (\S+?)\ssnort[\[\d+\]]*\:\s+(.+)/ox
+ (\S+?)\sbarnyard[\[\d+\]]*\:\s+(.+)/ox
|| m/^(\d+)\/(\d+)\-(\d+)\:(\d+)\:(\d+)\.(\d+)\s(.+)/ox
) {
$alert->{MON} = $1;
#### PATCH END ####
On Thu, Dec 3, 2009 at 8:31 AM, Tedi Heriyanto <tedi.heriyanto () gmail com>wrote:
Pradeep Lamabam wrote:hello, am using snort with barnyard, base,mysql. all is working fine. had also used snortstat_pl as a summary tool. works equally fine. what i had trouble though was with running snortstat_pl script as cron and to mail me the summary the command i used is : 59 23 * * * cat /var/log/snort/alert | snort\_stat.pl <http://stat.pl> | mail -s ''Snort Report`` <myid>@yahoo.com <http://yahoo.com>You can put the commands : cat /var/log/snort/alert | snort\_stat.pl <http://stat.pl> | mail -s ''Snort Report`` <myid>@yahoo.com <http://yahoo.com> into a shell script and in the cron entry you just call that script : 59 23 * * * /home/user/snort-log-mailer.sh -- Best Regards, Tedi Heriyanto Website : http://tedi.heriyanto.net Blog : http://theriyanto.wordpress.com PGP Key ID : 0xAC22DD11 PGP Fingerprint : 470A FF01 B4CF 93A4 78E5 0EAC 0103 BC76 AC22 DD11 ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- David Gomes GuimarĂ£es
------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snortstat_pl Pradeep Lamabam (Dec 03)
- Re: snortstat_pl Tedi Heriyanto (Dec 03)
- Re: snortstat_pl David Guimaraes (Dec 03)
- Re: snortstat_pl Tedi Heriyanto (Dec 03)