Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: output log_tcpdump bulk.log

From: John Sage <jsage () finchhaven com>
Date: Wed, 6 Mar 2002 06:42:16 -0800
heh..

OK: as some have pointed out, there *really* isn't a heck of a lot of
perl in this script.

I'm trying to learn perl, so I just use it for everything...

Also, my lawyer just about puked when she heard what I'd done, and she
wants me to add this:


                            NO WARRANTY

  1. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.

  2. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.

                     END OF TERMS AND CONDITIONS



And for this I pay her what?

- John



On Wed, Mar 06, 2002 at 06:04:55AM -0800, John Sage wrote:

Bob:

If you've already got cron involved, write a shell or perl script that
runs from cron and renames the file..

Here's something I use (perl wizards: don't laugh :-)

#!/usr/bin/perl
#
# run from /etc/crontab by:
#   00 4 * * * root /bin/sh /var/log/snort/rotate_counts.plx
#   minute 00, hour 04, * * * rotate counts, datestamp, touch new
#
$t = `date +%m%d%y%H%M`;
system("mv -f /var/log/snort/count_ports /var/log/snort/count_ports.$t");
system("mv -f /var/log/snort/count_probes /var/log/snort/count_probes.$t");
system("mv -f /var/log/snort/count_probes_sort /var/log/snort/count_probes_sort.$t");
#
system("touch /var/log/snort/count_ports");
system("touch /var/log/snort/count_probes");
system("touch /var/log/snort/count_probes_sort");
#
# EOF rotate_counts.plx 09/29/01


HTH..

- John
-- 
Most people don't type their own logfiles;  but, what do I care?



On Tue, Mar 05, 2002 at 11:15:11PM -0600, Bob Hillegas wrote:

BACKGROUND... In my snort.conf I have added the following ruletype:

ruletype bulk
{
  type log
  output log_tcpdump bulk.log
}

This rule type is fed by a rule in local.rules:

log ip any any <> any any (msg:"Capture all ip packets")

PROBLEM... File is overwritten!!

I'm using a dial-up, 10 minute inactivity time-out, cron to fetch mail every 
30 minutes. This means it dials twice an hour. Since I get an new ip every 
time I dial in, I must kill -INT snort.pid each time the interface goes 
down and restart snort with 

var HOME_NET $ppp0_ADDRESS

every time the interface is brought back up. That works fine.
But, the above output statement creates filenames like 0305 () 22-bulk log. 
When two are created the same hour, the second one overwrites the first. 

QUESTION... Is there a way of extending the naming to include minutes, or 
to enable appending to file?

Thanks
-- 
-------------------------------------------------
Bob Hillegas           
<bobhillegas () pdq net> 


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: