RE: Newbie needs help!!

["Pieter Blaauw" <pblaauw () pnp co za>]

Very easy!

Lemme give you the script I run at 23:45pm every evening. It puts the
snort output in a datestamped dir.

Here's the crontab entry:

45 23 * * * /usr/local/scripts/parse.sh

And here's the script:

----------------------------snip-----------------------------------

# !/bin/sh

# Set the date :P
DATE=`date +%Y%m%d`

# Backup the log files (incase something breaks) and then copy the logs
to the correct location for parsing. Snortsnarf only parses the logs and
puts the
# output to the local dir so supplying it with a destination dir after
the logfile does not work ie. 'snortsnarf alert /usr/local/www/data'
does NOT put
# it there but to the local directory. Messy but simple.
cp /var/log/snort/alert /var/log/snort/alert.$DATE
cp /var/log/snort/alert /usr/local/www/data/ids
cp /var/log/snort/portscan.log /var/log/snort/portscan.$DATE
cp /var/log/snort/portscan.log /usr/local/www/data/ids

# Lets parse the bastards!
cd /usr/local/www/data/ids
/usr/local/bin/snortsnarf alert
/usr/local/bin/snortsnarf portscan.log

# OK. Now it puts them in ugly directories so lets clean that out a bit
and datestamp it
cp -R snfout.alert/ /usr/local/www/data/ids/$DATE.alert
cp -R snfout.portscan.log/ /usr/local/www/data/ids/$DATE.portscan
rm -rf snfout.alert
rm -rf snfout.portscan.log

# Now once we check that the logs are parsed fine, and the dirs are
created, we can stop the program and then restart it after the logs are
killed off.
rm /usr/local/www/data/ids/alert
rm /usr/local/www/data/ids/portscan.log

ps -aux | awk '/snort/ {print $2}' | grep -v grep | xargs kill -9

rm /var/log/snort/alert
rm /var/log/snort/portscan.log
cd /usr/local/etc
/usr/local/bin/snort &

----------------------------snip-----------------------------------

While this may seem very arcane and probably could be done in a very
different and more efficient manner, it works for me, so :P. Every
morning I just go the the new datestamped directory and view the output
:)

BTW: If someone with time on their hands wants to rewrite this for me
more efficiently then by all means do *g*

Cheers
Pieter


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of lsd kuyeh
Sent: Monday, March 18, 2002 6:33 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Newbie needs help!!


Dear all Snort-User,

I downloaded SnortSnarf and I am not expert in Snort. 
I am confused because I don't know how to run
SnortSnarf although my Apache is ready.

Can anyone tell me the procedure and commands to
enable my SnortSnarf to run? I already tried for weeks
but no result too.


Confused,
Sean

__________________________________________________
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage http://sports.yahoo.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users