Re: HOME_NET question...

[Phil Wood <cpw () lanl gov>]

On Tue, Apr 23, 2002 at 01:55:32AM -0500, Bob Hillegas wrote:
> On Mon, 22 Apr 2002, John Sage wrote:
>
>  Date: Mon, 22 Apr 2002 19:43:56 -0700
>  From: John Sage <jsage () finchhaven com>
>  To: Erek Adams <erek () theadamsfamily net>
>  Cc: Bob Hillegas <bobhillegas () pdq net>, snort-users () lists sourceforge net
>  Subject: Re: [Snort-users] HOME_NET question...
>  
>  On Mon, Apr 22, 2002 at 01:42:54PM -0700, Erek Adams wrote:
>  > On Mon, 22 Apr 2002, Bob Hillegas wrote:
>  
>  <snippage>
>  
>  hmm.. I'm getting the -b binary logging into something like this:
>  
>  snort-0421 () 1853 log
>  
>  which is the date and time of the connection start;
> --- <snip> ---
>
> My binaries (now 1.8.6) are going to something like:
> 0423 () 01-bulk log

Your life will improve just a tiny bit if you apply the attached patch to

  spo_log_tcpdump.c

There is not quite enough space for the name so you don't get no minutes.

This statement applies to the current CVS for 1.8.7 BUILD 110.

> by using:
> ruletype bulk
> {
> type log
> output log_tcpdump: bulk.log
> }
> bulk ip any any -> any any (msg:"Capture all ip packets")
>
> The problem with this format is that reconnections during the same hour 
> overwrite previous ones. During dis-connect processing (/etc/ppp/ip-down 
> -> /etc/sysconfig/network-scripts/ifdown-post 
> -> /sbin/ifdown-local), I invoke a script to rename the file just created. 
> Since I am NOT doing any alerts, (the above is my only rule) I need to 
> know what HOME_NET=$ppp0_ADDRESS was during the capture for subsequent 
> alert processing.
>
> For now I mkdir /var/log/snort/$HOME_NET/ and mv the bulk file using:
>
> #####################################################################
> #!/bin/bash
> # /usr/local/scripts/movelog
>
> logger -t SCRIPT -p local0.info "++++ ${0} ${*} ++++"
>
> if [ $# -lt "1" ]; then
>   echo "External Interface Device argument missing $0"
>   logger -t ipchains -p local0.info "External Interface Device argument missing $0"
>   exit 0
> fi
>
> EXT_IFACE=$1
>
> # Unpack local and remote ip addresses
> LOCAL_IP=`/sbin/ifconfig ${EXT_IFACE} | grep "inet addr:" | awk '{print $2}' | awk 'BEGIN { FS=":" } { print $2}' `
>
> # Move snort.log & bulk.log files to correctly state time
> # MMDD () HH-bulk log --> YYYYMMDD-HHMMSS-packet.log
> # MMDD () HH-snort log --> YYYYMMDD-HHMMSS-alert.log
> # snort-MMDD () HHMM log --> YYYYMMDD-HHMMSS-packet.log
> #
>
> # --------------------------------------------------------------------
> alert ()
> {
> # Check that snort.conf exists.
>   if [ -r ${SNORTCONF} -a -x ${SNORT} ]; then
>
>    $SNORT -r ${TDIR}${LOCAL_IP}/${TSNAM} -u snort -g snort -c ${SNORTCONF2} 
>
>   fi                  ## end of snort.conf
> }
> # --------------------------------------------------------------------
>
> TDIR=/var/log/snort/
> if [ ! -d ${TDIR}${LOCAL_IP}/ ]; then
>   /bin/mkdir ${TDIR}${LOCAL_IP}/
> fi
>
> # --------------------------------------------------------------------
> # Save copy of snort.conf with correct $HOME_NET
>   SNORTCONF1="/etc/snort/snort.conf"
>   SNORTCONF2="${TDIR}${LOCAL_IP}/snort.conf"
>   SNORT="/usr/local/bin/snort"
> if [ ! -e ${TDIR}${LOCAL_IP}/snort.conf ]; then
>   /usr/local/bin/gres "\$ppp0_ADDRESS"  ${LOCAL_IP}  ${SNORTCONF1} > ${SNORTCONF2}
> fi
>
> for fil in ${TDIR}*-bulk.log; do
>   if [ -f ${fil} ]; then
>     TSNAM=`find $fil -printf %AY%Am%Ad-%AH%AM%AS-packet.log `
>     mv -i $fil ${TDIR}${LOCAL_IP}/${TSNAM}
>     alert
>   fi
> done
>
> for fil in ${TDIR}*-snort.log; do
>   if [ -f ${fil} ]; then
>     TSNAM=`find $fil -printf %AY%Am%Ad-%AH%AM%AS-alert.log `
>     mv -i $fil ${TDIR}${LOCAL_IP}/${TSNAM}
>   fi
> done
>
> for fil in ${TDIR}snort-*.log; do
>   if [ -f ${fil} ]; then
>     TSNAM=`find $fil -printf %AY%Am%Ad-%AH%AM%AS-packet.log `
>     mv -i $fil ${TDIR}${TSNAM}
>     alert
>   fi
> done
>
> # That's all :-)
> logger -t SCRIPT -p local0.info "++++ ${0} ${*} completed ++++"
>
> exit
> #####################################################################
>
> This way I can reprocess files at later time.
> --- </snip> ---
>
>  alerts go to this:
>  alert184.full-0421 () 1853 log
>  from this in snort.conf:
>  
>  # output alert_full
>  output alert_full: /var/log/snort/alert184.full
>  # keep as from 1.8.2
>  Are you not getting something similar?
> --- <snip> ---
> For alerts, I'm using the standard:
> output alert_syslog LOG_AUTH LOG_ALERT
> which gives MMDD () HH-snort log, which I also handle in movelog (above).
> --- </snip> ---
>  I start snort from a line within the shell script that brings up my
>  ipchains firewall:
>  /usr/bin/snort184 -b -i ppp0 -o -c /usr/local/snort-1.8.4/snort184.conf &
>  and in snort.conf I have:
>  var HOME_NET $ppp0_ADDRESS
> --- <snip> ---
> When logging: SNORT -i ppp0 -u snort -g snort -c /etc/snort/tcpdump.conf -D 
> and in tcpdump.conf: var HOME_NET $ppp0_ADDRESS
>
> See alert() function above for alerting.
> --- </snip> --- 
>
> -- 
> -------------------------------------------------
> Bob Hillegas           
> <bobhillegas () pdq net> 
>
>
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw () lanl gov

Attachment: patch
Description: