[Snort-users] snort + swatch + script wirting + waiting help
pmelson at ...11827...
Thu Jun 7 10:18:53 EDT 2007
> I am using Snort and would like to use swatch so that when particular
attack occurs swatch runs that
> I need little advice here .. i want my script to parse out the IP
addresses from the same alert which
> is triggered by rule..
> Any descriptive ideas will be helpful or if somebody has ready script
shall be helpful to me before i
> spend lots of time to reinvent the wheel.
You'll need to configure a swatch regex for Snort alerts so that it makes a
token out of the data you want to reference. Example:
May 31 14:33:08 arnold snort: DNS named version attempt: 126.96.36.199:2888
Swatch watchfor config:
watchfor /(^.* arnold snort.*:)(.*:
# exec "/opt/t00lz/spike.sh $3"
So the swatch config example takes a typical Snort syslog alert and makes
the following tokens with that fugly regex:
$1 - date, box, proc, pid
$2 - rule msg field
$3 - src IP
$4 - src port
$5 - dst IP
$6 - dst port
The second line makes $3 (src IP) the key, and the third line passes it as
argv to /opt/t00lz/spike.sh. (This is an example - I don't actually DoS
folks that trigger Snort alerts.) The end result would be that swatch would
see the example alert and run '/opt/t00lz/spike.sh 188.8.131.52'
More information about the Snort-users