[Snort-users] Possibly usefull thing...
alambert at ...387...
Thu Sep 14 17:12:27 EDT 2000
If you're using (or wanting to use) snort in a configuration like
sensor1, sensor2, sensor3, etc. (logging in binary tcpdump only)
and harvest the tcpdump binaries back to a central box to use a separate
copy of snort to import the data into MySQL (in my case for use with
ACID), but want to keep the sensor ID's correct, here's how I did it.
I'm sure someone who knew anything at all about C could do it a
better way; but alas, I know just enough to be dangerous (well, not really
even that much, I had to look up the proper usage of getenv() :)...
from spo_log_database.c at line 319 (CVS source, not 1.6.3). you can make
the following modifictation:
data->sensor_name = getenv("SENSOR");
/* old value = GetUniqueName((char *)pv.interfaces); */
Then when you're importing the files from various hosts into your
database, do it with a shell script that does "export
SENSOR=whateveryouwant" prior to running the snort->db import process. IE,
in my case, I harvest the files onto my database server with names like
"18.104.22.168.snort-0000 at ...458...", so my shell script looks something like:
if [ ! -f $1 ] ; then
SENSOR=`echo $1 | cut -d"." -f1,2,3,4`
snort -r $1 -c /path/to/rules.master.db
Which is a script I call with another one that is doing basically:
for i in `/bin/ls /path/to/new/files` ; do
if [ "$?" = "0" ] ; then
mv $i /path/to/archive/files
(with a lot more error checking, and other unrelated ugly things
going on in the real versrions than either of the above).
That way I get nice data in my database, and don't get confused by
all reports showing up as having come from my DB boxen. :)
Now, before anyone with a better idea flames me, I alreday know
that the above is probably a very ugly way to do it (I'm pretty sure you
can overflow getenv();, so don't run it on a box you don't trust); just
thought I'd share my experiences in case someone might find them usefull.
More information about the Snort-users