Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-Swatch

From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Tue, 23 Sep 2003 23:53:51 +0200

Weell...
(freezing my knoppix.... ;)

logsurfer is a quite easy tool to use. I don't know if this is the
right place to explain the whole thing, since it already has a good
documentation - including usage examples. It continuously watches the
logfile you define, although it also has a single-shot mode. You may
want to get some information out of your old logfiles that way. It uses
regular expressions to match a line you may be interessted in. You
may, however also define what should not be in the line, which gives you
the possibility to match the lines in a highly focused, specific
context, since error messages - for which you may be looking - sometimes
look similar to other error messages which may produce some confusion.

The other nice thing is the possibility to collect the messages in a
kind of container and do something with them at once - for example to
mail several login attempts at once wild or all invalid packets from
your iptables ruleset - just an example. These container are also called
a "context" - pretty self explanatory. I use this possibility for apache
in order to catch a whole session after a specific event has occured -
internal server error, for example.

So, the configuration syntax is like this:

match_regex match_not_regex line_limit timeout_abs timeout_rel
default_action

default action may be:

ignore, exec, pipe, report (see the man page for more information)

So with this rule a priority 1 alerts will be collected and mailed to
you (and everything else will be ignored):

###
# logsurfer config for Snort's alert file
# Avoid empty lines, use '#' instead
#
# Report only priority 1 alerts for now (put this in one line best)
'\[Classification: (.*)\] \[Priority: 1\]' - - - 0 open
(.*) - 3 5 - pipe
"/bin/mail -s \"\[IDS SENSOR 1\] ALERT: Snort detected a Priority 1 security incident\" security () jonbaer net" 
#
# Ignore the rest
'(.*)' - - - 0 ignore
###

Save this in a file /etc/logsurfer/alert.conf and run logsurfer like
this (possibly not as root):

logsurfer -c /etc/logsurfer/alert.conf \
          -d /etc/logsurfer/alert.dump \
          -p /var/run/logsurfer_alert.pid \
          -f /var/log/snort/alert

There is a possibility to tell logsurfer to process the file from a
specific line. That is nice since the alert file may be quite big. In
that case try something like this (using su to run logsurfer as user
nobody here):

$ su nobody -c "/usr/local/bin/logsurfer \
            -c /etc/logsurfer/alert.conf \
            -l `wc -l /var/log/snort/alert | awk '{print $1}'`\
            -d /etc/logsurfer/alert.dump \
            -p /var/run/logsurfer_alert.pid \
            -f /var/log/snort/alert &"

So, my emails look like this:

[Classification: Web Application Attack] [Priority: 1]
09/11/03-12:14:28.282758 0:2:B3:C7:D:E1 -> 0:6:5B:8F:9D:1F type:0x800 len:0x27C 172.16.0.1:43070 -> 172.16.0.254:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:622 
***AP*** Seq: 0x88C22700  Ack: 0xE6FDE3E3  Win: 0x88E0  TcpLen: 20

Now, it's ACID's turn...

Hope could help,

Regards,
Edin

Keaton, Lindamaria wrote:

No I don't have to you use swatch



--
Edin Dizdarevic



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: