[Snort-users] Snort-Swatch

Edin Dizdarevic edin.dizdarevic at ...7509...
Tue Sep 23 14:55:08 EDT 2003

(freezing my knoppix.... ;)

logsurfer is a quite easy tool to use. I don't know if this is the
right place to explain the whole thing, since it already has a good
documentation - including usage examples. It continuously watches the
logfile you define, although it also has a single-shot mode. You may
want to get some information out of your old logfiles that way. It uses
regular expressions to match a line you may be interessted in. You
may, however also define what should not be in the line, which gives you
the possibility to match the lines in a highly focused, specific
context, since error messages - for which you may be looking - sometimes
look similar to other error messages which may produce some confusion.

The other nice thing is the possibility to collect the messages in a
kind of container and do something with them at once - for example to
mail several login attempts at once wild or all invalid packets from
your iptables ruleset - just an example. These container are also called
a "context" - pretty self explanatory. I use this possibility for apache
in order to catch a whole session after a specific event has occured -
internal server error, for example.

So, the configuration syntax is like this:

match_regex match_not_regex line_limit timeout_abs timeout_rel

default action may be:

ignore, exec, pipe, report (see the man page for more information)

So with this rule a priority 1 alerts will be collected and mailed to
you (and everything else will be ignored):

# logsurfer config for Snort's alert file
# Avoid empty lines, use '#' instead
# Report only priority 1 alerts for now (put this in one line best)
'\[Classification: (.*)\] \[Priority: 1\]' - - - 0 open
(.*) - 3 5 - pipe
"/bin/mail -s \"\[IDS SENSOR 1\] ALERT: Snort detected a Priority 1 
security incident\" security at ...9153..."
# Ignore the rest
'(.*)' - - - 0 ignore

Save this in a file /etc/logsurfer/alert.conf and run logsurfer like
this (possibly not as root):

logsurfer -c /etc/logsurfer/alert.conf \
           -d /etc/logsurfer/alert.dump \
           -p /var/run/logsurfer_alert.pid \
           -f /var/log/snort/alert

There is a possibility to tell logsurfer to process the file from a
specific line. That is nice since the alert file may be quite big. In
that case try something like this (using su to run logsurfer as user
nobody here):

$ su nobody -c "/usr/local/bin/logsurfer \
             -c /etc/logsurfer/alert.conf \
             -l `wc -l /var/log/snort/alert | awk '{print $1}'`\
             -d /etc/logsurfer/alert.dump \
             -p /var/run/logsurfer_alert.pid \
             -f /var/log/snort/alert &"

So, my emails look like this:

[Classification: Web Application Attack] [Priority: 1]
09/11/03-12:14:28.282758 0:2:B3:C7:D:E1 -> 0:6:5B:8F:9D:1F type:0x800 
len:0x27C -> TCP TTL:240 TOS:0x10 ID:0 IpLen:20 
***AP*** Seq: 0x88C22700  Ack: 0xE6FDE3E3  Win: 0x88E0  TcpLen: 20

Now, it's ACID's turn...

Hope could help,


Keaton, Lindamaria wrote:
> No I don't have to you use swatch

Edin Dizdarevic

More information about the Snort-users mailing list