Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: output log_tcpdump bulk.log

From: Bob Hillegas <bobhillegas () pdq net>
Date: Wed, 6 Mar 2002 21:28:29 -0600 (CST)
Thanks John for the script. It wasn't exactly what I wanted, but got me 
off dead-center. I wanted the file names to include the timestamp when 
they were created, what you get from ls -lu (access time).

Instead of using cron, I place this script in my ifdown-local. It gets 
called each time the ppp0 interface goes down. I kill snort at that point 
and then move the files.

Since my pppd is set up as on demand, I don't want to wait for a specific 
cron interval, and find out that snort has been invoked already and 
overwritten the file.

Thanks, BobH

#!/bin/bash
# Move snort.log & bulk.log files to correctly state time
# MMDD () HH-bulk log --> YYYYMMDD-HHMMSS-packet.log
# MMDD () HH-snort log --> YYYYMMDD-HHMMSS-alert.log
#

TDIR=/var/log/snort/

for fil in ${TDIR}*-bulk.log; do
  TSNAM=`find $fil -printf %AY%Am%Ad-%AH%AM%AS-packet.log `
  mv -i $fil ${TDIR}${TSNAM}
done

for fil in ${TDIR}*-snort.log; do
  TSNAM=`find $fil -printf %AY%Am%Ad-%AH%AM%AS-alert.log `
  mv -i $fil ${TDIR}${TSNAM}
done

# That's all :-)
exit

-- 
-------------------------------------------------
Bob Hillegas           
<bobhillegas () pdq net> 
281.546.9311          

On Wed, 6 Mar 2002, John Sage wrote:

 Date: Wed, 6 Mar 2002 06:04:55 -0800
 From: John Sage <jsage () finchhaven com>
 To: Bob Hillegas <bobhillegas () pdq net>
 Cc: snort-users () lists sourceforge net
 Subject: Re: [Snort-users] output log_tcpdump bulk.log
 
 Bob:
 
 If you've already got cron involved, write a shell or perl script that
 runs from cron and renames the file..
 
 Here's something I use (perl wizards: don't laugh :-)
 
 #!/usr/bin/perl
 #
 # run from /etc/crontab by:
 #   00 4 * * * root /bin/sh /var/log/snort/rotate_counts.plx
 #   minute 00, hour 04, * * * rotate counts, datestamp, touch new
 #
 $t = `date +%m%d%y%H%M`;
 system("mv -f /var/log/snort/count_ports /var/log/snort/count_ports.$t");
 system("mv -f /var/log/snort/count_probes /var/log/snort/count_probes.$t");
 system("mv -f /var/log/snort/count_probes_sort /var/log/snort/count_probes_sort.$t");
 #
 system("touch /var/log/snort/count_ports");
 system("touch /var/log/snort/count_probes");
 system("touch /var/log/snort/count_probes_sort");
 #
 # EOF rotate_counts.plx 09/29/01
 
 
 HTH..
 
 - John
 


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: