[Snort-users] ANNOUNCE: logsnorter. Merge ipchains/Cisco access-lists into snort
Jason.Haar at ...294...
Wed Jan 17 20:31:58 EST 2001
This is the first release of logsnorter for general consumption.
This perl script scans syslog messages (typically in real-time), picks up
any "reject packet" messages generated by Ciscos or Linux ipfw/ipchains and
logs them into your central Snort SQL database. This allows you to "expand"
the reach of snort without having to put snort out into wierd areas - like
in front of your perimeter router/firewall...
Typically invoked for real-time action as:
logsnorter -T /var/log/syslog
For post-processing (e.g. yesterday's syslog messages), try:
cat /var/log/syslog.1|logsnorter -t
There's a perldoc page ("perldoc logsnorter") showing the options - the main
one to figure out is the /etc/logsnorter.conf config file.
[This is my first attempt at perldoc - can someone tell me how to stop
perldoc wrapping text - it really screwed up the example config file]
Please give it a go - it will explicitly exit when it meets a syslog line
it thinks it should know about that doesn't match it's current subroutines.
Let me know of any such issues, and those BSD users out there - how about
writing a few "modules" for ipfilter/etc support? Hmmm? :-)
I will be working on Linux 2.4 iptable support and (perhaps) PIX support
No home for it yet - maybe www.snort.org?
Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6193 bytes
Desc: not available
More information about the Snort-users