[Snort-users] Newbie - how to extract any info from snort -ve d?

Erik Engberg Erik.Engberg at ...511...
Mon Sep 25 16:11:12 EDT 2000

Hehe, I must be more tired than I knew. I don´t know why but I just got some
strange notion that you wanted integrity checking. Silly me ;)

Care to send over the script? Sounds smart and I´m a bit lazy ;)



-----Original Message-----
From: Andreas Maus [mailto:andreas_maus at ...375...]
Sent: den 25 september 2000 22:07
To: Erik Engberg; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Newbie - how to extract any info from snort
-ve d?

Erik Engberg wrote:
> When you are at it, implement a "tripwiring" system that´d alert on any
> changes to your static important files. Tripwire for instance ;). There
> other systems GPL´d as well.
Well, tripwire may work, but I mean (and use) a small bash-script that
count the lines in the
snort.alert file and compares the result with the number of lines of
that file from the 
previous run (stored in a file). If we've got new alerts the number of
lines in the alert file
increases. In the bash-script we compare the new with the old numbers
and find that the number of 
the actual file is larger and a mail is sent to a user (e.g. root). Then
we store the actual number of
lines in the file and quit...till the next call from crontab. This
script can be done in about 10 lines and 
so there is no need to launch tools like tripwire...

So long...Andreas.

|           email: andreas_maus at ...375...   |
|       http://www.bigfoot.com/~andreas_maus/ |

More information about the Snort-users mailing list