[Snort-users] snort + swatch + script wirting + waiting help

Paul Melson pmelson at ...11827...
Thu Jun 7 10:18:53 EDT 2007


> I am using  Snort and would like to use swatch so that when particular
attack occurs  swatch runs that 
> script. 
>
> I need little  advice here .. i want my script to parse out the IP
addresses from the same alert which 
> is triggered by rule..
>
> Any descriptive ideas will be helpful or if somebody has ready script
shall be helpful to me before i 
> spend lots of time to reinvent the wheel.

You'll need to configure a swatch regex for Snort alerts so that it makes a
token out of the data you want to reference.  Example:

Snort alert:
May 31 14:33:08 arnold snort[19228]: DNS named version attempt: 1.2.3.4:2888
-> 172.16.1.103:53

Swatch watchfor config:
watchfor /(^.* arnold snort.*:)(.*:
)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d{1,5}) \-\>
(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d{1,5})
	throttle threshold=1,delay=0:1:0,key=$3
	# exec "/opt/t00lz/spike.sh $3"


So the swatch config example takes a typical Snort syslog alert and makes
the following tokens with that fugly regex:
$1 - date, box, proc, pid
$2 - rule msg field
$3 - src IP
$4 - src port
$5 - dst IP
$6 - dst port

The second line makes $3 (src IP) the key, and the third line passes it as
argv[1] to /opt/t00lz/spike.sh.  (This is an example - I don't actually DoS
folks that trigger Snort alerts.)  The end result would be that swatch would
see the example alert and run '/opt/t00lz/spike.sh 1.2.3.4'

Make sense?

PaulM





More information about the Snort-users mailing list