[Snort-users] Logcheck and Snort

Robert E. Leever bel1 at ...358...
Wed Mar 7 12:04:28 EST 2001


The following script [which appeared in this list about 8 mo ago]
will email "Admin" the changes in the file "SAM" every time it
changes.  It could be simplified.  ie instead of tail -$i into a
tmp file it could just tail into mail...but then I wouldn't know
which host was reporting.  [I have snort running on about 100 internal
sub nets.]

b;)		b;) ever since Micro$oft copyrighted Bob.

#! /bin/sh

# index: tests size of snort log and mails it to me if it changes.
# index: designed to run forever & wake up every 10 seconds.

Admin=               
SAM=
if [ -f $SAM ]; then
   SIZE=`wc $SAM | awk '{print $1}'`
else
   SIZE=0
fi
##
host=`uname -n`
trap "" 1
while true
do

if [ -f $SAM ];
then
   NSIZE=`wc $SAM |awk '{print $1 }'`
   if [ $NSIZE != $SIZE ]; then
      echo $host > /tmp/tmp.file
      i=`expr $NSIZE - $SIZE `
      tail -$i $SAM >> /tmp/tmp.file
      cat /tmp/tmp.file |mail $Admin
      rm /tmp/tmp.file
# keep the file a reasonable size
      if [ $NSIZE -ge 100 ]; then
         tail -100 $SAM > /tmp/x
         cat /tmp/x > $SAM 
         rm /tmp/x
         SIZE=`wc $SAM |awk '{print $1 }'`
      else
         SIZE=$NSIZE
      fi
   fi
fi
sleep 10
done




More information about the Snort-users mailing list