[Snort-users] Possibly usefull thing...

A.L.Lambert alambert at ...387...
Thu Sep 14 17:12:27 EDT 2000


	If you're using (or wanting to use) snort in a configuration like
the following:

sensor1, sensor2, sensor3, etc. (logging in binary tcpdump only)

and harvest the tcpdump binaries back to a central box to use a separate
copy of snort to import the data into MySQL (in my case for use with
ACID), but want to keep the sensor ID's correct, here's how I did it. 

	I'm sure someone who knew anything at all about C could do it a
better way; but alas, I know just enough to be dangerous (well, not really
even that much, I had to look up the proper usage of getenv()  :)...

from spo_log_database.c at line 319 (CVS source, not 1.6.3). you can make
the following modifictation:

 data->sensor_name = getenv("SENSOR");
            /* old value = GetUniqueName((char *)pv.interfaces[0]); */

and recompile.

	Then when you're importing the files from various hosts into your
database, do it with a shell script that does "export
SENSOR=whateveryouwant" prior to running the snort->db import process. IE,
in my case, I harvest the files onto my database server with names like
"1.1.1.1.snort-0000 at ...458...", so my shell script looks something like:

#!/bin/sh

if [ ! -f $1 ] ; then
exit 1
fi

SENSOR=`echo $1 | cut -d"." -f1,2,3,4`
export SENSOR
snort -r $1 -c /path/to/rules.master.db
exit $?

### EOF

	Which is a script I call with another one that is doing basically:

#!/bin/sh

for i in `/bin/ls /path/to/new/files` ; do
snort-db-import $i
	if [ "$?" = "0" ] ; then
	mv $i /path/to/archive/files
	fi
done

### EOF

	(with a lot more error checking, and other unrelated ugly things
going on in the real versrions than either of the above).

	That way I get nice data in my database, and don't get confused by
all reports showing up as having come from my DB boxen. :)

	Now, before anyone with a better idea flames me, I alreday know
that the above is probably a very ugly way to do it (I'm pretty sure you
can overflow getenv();, so don't run it on a box you don't trust); just
thought I'd share my experiences in case someone might find them usefull.  
Cheers!

	--A.L.Lambert





More information about the Snort-users mailing list