[Snort-users] alert methods

Robert E. Leever bel1 at ...358...
Fri Oct 6 12:43:29 EDT 2000


ok, here'tis.  it works fine on solaris systems 2.3 thru 2.8. 
[& sun 4.1.3 if anyone cares anymore.]
it will work on hp-ux 9.x, 10.x & 11.0, and aix 3.x & 4.3 to but I haven't
tested it on anything else.  I start it right after I start snort as part
of the boot sequence by putting them into an /etc/rc3.d/S99security script.
[solaris, of course]

If you don't care about keeping the snort.alert file relatively small
you can comment out everything between the two "### keep" lines


#! /bin/sh
# index: tests size of snort log and mails it to me if it changes
# index: eventually it could mail it to my beeper too.
# index: designed to run forever & wake up every 10 seconds.
# index: if you want it run slower make it sleep longer.
# index: put your mail address in ME=
#
ME=
SAM=/var/log/snort.alert
if [ -f $SAM ]; then
   SIZE=`wc $SAM | awk '{print $1}'`
else
   SIZE=0
fi
## 
trap "" 1
## run forever
while true
do
if [ -f $SAM ];
then
   NSIZE=`wc $SAM |awk '{print $1 }'`
   if [ $NSIZE != $SIZE ]; then
# calculate the number of new lines
      l=`expr $NSIZE - $SIZE`
      tail -$l $SAM | mail $ME
### keep the snort alert file a reasonable size
      if [ $NSIZE -ge 1000 ]; then
         tail -1000 $SAM > /tmp/x
         cat /tmp/x > $SAM  
# cat doesn't chng inode otherwise snort may lose it.
         rm /tmp/x
         SIZE=`ls -la $SAM |awk '{print $5 }'`
      else
### keep the snort file a reasonable size
         SIZE=$NSIZE
      fi
   fi
fi
sleep 10
done
#



More information about the Snort-users mailing list