Snort mailing list archives
Re: output log_tcpdump bulk.log
From: John Sage <jsage () finchhaven com>
Date: Wed, 6 Mar 2002 06:42:16 -0800
heh.. OK: as some have pointed out, there *really* isn't a heck of a lot of perl in this script. I'm trying to learn perl, so I just use it for everything... Also, my lawyer just about puked when she heard what I'd done, and she wants me to add this: NO WARRANTY 1. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 2. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS And for this I pay her what? - John On Wed, Mar 06, 2002 at 06:04:55AM -0800, John Sage wrote:
Bob: If you've already got cron involved, write a shell or perl script that runs from cron and renames the file.. Here's something I use (perl wizards: don't laugh :-) #!/usr/bin/perl # # run from /etc/crontab by: # 00 4 * * * root /bin/sh /var/log/snort/rotate_counts.plx # minute 00, hour 04, * * * rotate counts, datestamp, touch new # $t = `date +%m%d%y%H%M`; system("mv -f /var/log/snort/count_ports /var/log/snort/count_ports.$t"); system("mv -f /var/log/snort/count_probes /var/log/snort/count_probes.$t"); system("mv -f /var/log/snort/count_probes_sort /var/log/snort/count_probes_sort.$t"); # system("touch /var/log/snort/count_ports"); system("touch /var/log/snort/count_probes"); system("touch /var/log/snort/count_probes_sort"); # # EOF rotate_counts.plx 09/29/01 HTH.. - John -- Most people don't type their own logfiles; but, what do I care? On Tue, Mar 05, 2002 at 11:15:11PM -0600, Bob Hillegas wrote:BACKGROUND... In my snort.conf I have added the following ruletype: ruletype bulk { type log output log_tcpdump bulk.log } This rule type is fed by a rule in local.rules: log ip any any <> any any (msg:"Capture all ip packets") PROBLEM... File is overwritten!! I'm using a dial-up, 10 minute inactivity time-out, cron to fetch mail every 30 minutes. This means it dials twice an hour. Since I get an new ip every time I dial in, I must kill -INT snort.pid each time the interface goes down and restart snort with var HOME_NET $ppp0_ADDRESS every time the interface is brought back up. That works fine. But, the above output statement creates filenames like 0305 () 22-bulk log. When two are created the same hour, the second one overwrites the first. QUESTION... Is there a way of extending the naming to include minutes, or to enable appending to file? Thanks -- ------------------------------------------------- Bob Hillegas <bobhillegas () pdq net>
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- output log_tcpdump bulk.log Bob Hillegas (Mar 05)
- Re: output log_tcpdump bulk.log John Sage (Mar 06)
- Re: output log_tcpdump bulk.log John Sage (Mar 06)
- Re: output log_tcpdump bulk.log Ralf Hildebrandt (Mar 06)
- Re: output log_tcpdump bulk.log Bob Hillegas (Mar 06)
- Re: output log_tcpdump bulk.log John Sage (Mar 06)
- Re: output log_tcpdump bulk.log John Sage (Mar 06)