[Snort-users] Newbie - how to extract any info from snort -ve d?

Andreas Maus andreas_maus at ...375...
Mon Sep 25 16:07:13 EDT 2000


Erik Engberg wrote:
> 
> When you are at it, implement a "tripwiring" system that´d alert on any
> changes to your static important files. Tripwire for instance ;). There are
> other systems GPL´d as well.
> 
Well, tripwire may work, but I mean (and use) a small bash-script that
count the lines in the
snort.alert file and compares the result with the number of lines of
that file from the 
previous run (stored in a file). If we've got new alerts the number of
lines in the alert file
increases. In the bash-script we compare the new with the old numbers
and find that the number of 
the actual file is larger and a mail is sent to a user (e.g. root). Then
we store the actual number of
lines in the file and quit...till the next call from crontab. This
script can be done in about 10 lines and 
so there is no need to launch tools like tripwire...

So long...Andreas.

-- 
@---------------------------------------------@
|           email: andreas_maus at ...375...   |
|       http://www.bigfoot.com/~andreas_maus/ |
@---------------------------------------------@



More information about the Snort-users mailing list