Snort mailing list archives
Re: Snort-Swatch
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Tue, 23 Sep 2003 23:53:51 +0200
Weell... (freezing my knoppix.... ;) logsurfer is a quite easy tool to use. I don't know if this is the right place to explain the whole thing, since it already has a good documentation - including usage examples. It continuously watches the logfile you define, although it also has a single-shot mode. You may want to get some information out of your old logfiles that way. It uses regular expressions to match a line you may be interessted in. You may, however also define what should not be in the line, which gives you the possibility to match the lines in a highly focused, specific context, since error messages - for which you may be looking - sometimes look similar to other error messages which may produce some confusion. The other nice thing is the possibility to collect the messages in a kind of container and do something with them at once - for example to mail several login attempts at once wild or all invalid packets from your iptables ruleset - just an example. These container are also called a "context" - pretty self explanatory. I use this possibility for apache in order to catch a whole session after a specific event has occured - internal server error, for example. So, the configuration syntax is like this: match_regex match_not_regex line_limit timeout_abs timeout_rel default_action default action may be: ignore, exec, pipe, report (see the man page for more information) So with this rule a priority 1 alerts will be collected and mailed to you (and everything else will be ignored): ### # logsurfer config for Snort's alert file # Avoid empty lines, use '#' instead # # Report only priority 1 alerts for now (put this in one line best) '\[Classification: (.*)\] \[Priority: 1\]' - - - 0 open (.*) - 3 5 - pipe"/bin/mail -s \"\[IDS SENSOR 1\] ALERT: Snort detected a Priority 1 security incident\" security () jonbaer net"
# # Ignore the rest '(.*)' - - - 0 ignore ### Save this in a file /etc/logsurfer/alert.conf and run logsurfer like this (possibly not as root): logsurfer -c /etc/logsurfer/alert.conf \ -d /etc/logsurfer/alert.dump \ -p /var/run/logsurfer_alert.pid \ -f /var/log/snort/alert There is a possibility to tell logsurfer to process the file from a specific line. That is nice since the alert file may be quite big. In that case try something like this (using su to run logsurfer as user nobody here): $ su nobody -c "/usr/local/bin/logsurfer \ -c /etc/logsurfer/alert.conf \ -l `wc -l /var/log/snort/alert | awk '{print $1}'`\ -d /etc/logsurfer/alert.dump \ -p /var/run/logsurfer_alert.pid \ -f /var/log/snort/alert &" So, my emails look like this: [Classification: Web Application Attack] [Priority: 1]09/11/03-12:14:28.282758 0:2:B3:C7:D:E1 -> 0:6:5B:8F:9D:1F type:0x800 len:0x27C 172.16.0.1:43070 -> 172.16.0.254:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:622
***AP*** Seq: 0x88C22700 Ack: 0xE6FDE3E3 Win: 0x88E0 TcpLen: 20 Now, it's ACID's turn... Hope could help, Regards, Edin Keaton, Lindamaria wrote:
No I don't have to you use swatch
-- Edin Dizdarevic ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort-Swatch Keaton, Lindamaria (Sep 19)
- Re: Snort-Swatch jon baer (Sep 19)
- Re: Snort-Swatch Erek Adams (Sep 19)
- <Possible follow-ups>
- RE: Snort-Swatch Keaton, Lindamaria (Sep 23)
- Re: Snort-Swatch Edin Dizdarevic (Sep 23)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 23)
- Re: Snort-Swatch Edin Dizdarevic (Sep 23)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 25)
- Re: Snort-Swatch Sir Fenix (Sep 25)
- Re: Snort-Swatch Edin Dizdarevic (Sep 25)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 25)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 26)
- Re: Snort-Swatch Edin Dizdarevic (Sep 27)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 29)
- Single Snort instance with multiple configurations (output) Jukka Juslin (Sep 30)
- Re: Single Snort instance with multiple configurations (output) Matt Kettler (Sep 30)
- Single Snort instance with multiple configurations (output) Jukka Juslin (Sep 30)