[Snort-users] snortstat_pl

David Guimaraes skysbsb at ...11827...
Thu Dec 3 10:14:42 EST 2009


The problem is that snort_stat use "snort" signature in the snort alert file
to recover information... but barnyard is the autor of the alert message,
so, in the alert file generated by barnyard will be:

Dec  3 06:24:03 debian *barnyard*: [1:2050:14] SQL version overflow attempt
[Classification: Attempted Administrator Privilege Gain] [Priority: 1] {UDP}
222.47.22.18:2285 -> x.x.x.x:1434

you see?

So, to resolve this problem, u have to edit the snort_stat.pl file like this
patch:

#### PATCH BEGIN ####
--- snort_stat.pl    2009-12-03 13:12:51.000000000 -0200
+++ snort_stat_modified.pl    2009-12-03 13:11:24.000000000 -0200
@@ -135,7 +135,7 @@

     # This is syslog format
     if ( $_ =~ m/^(\w{3}) \s+ (\d+) \s (\d+)\:(\d+)\:(\d+)\s
-    (\S+?)\ssnort[\[\d+\]]*\:\s+(.+)/ox
+    (\S+?)\sbarnyard[\[\d+\]]*\:\s+(.+)/ox
     || m/^(\d+)\/(\d+)\-(\d+)\:(\d+)\:(\d+)\.(\d+)\s(.+)/ox
     ) {
     $alert->{MON}  = $1;

#### PATCH END ####

On Thu, Dec 3, 2009 at 8:31 AM, Tedi Heriyanto <tedi.heriyanto at ...11827...>wrote:

> Pradeep Lamabam wrote:
> > hello,
> > am using snort with barnyard, base,mysql. all is working fine. had also
> > used snortstat_pl as a summary tool. works equally fine. what i had
> > trouble though was with running snortstat_pl script as cron and to mail
> > me the summary
> > the command i used is :
> > 59 23 * * * cat /var/log/snort/alert | snort\_stat.pl <http://stat.pl> |
> > mail -s ''Snort Report`` <myid>@yahoo.com <http://yahoo.com>
> You can put the commands :
> cat /var/log/snort/alert | snort\_stat.pl <http://stat.pl> |
> mail -s ''Snort Report`` <myid>@yahoo.com <http://yahoo.com>
>
> into a shell script and in the cron entry you just call that script :
>
> 59 23 * * * /home/user/snort-log-mailer.sh
>
>
>
> --
> Best Regards,
>
> Tedi Heriyanto
> Website         : http://tedi.heriyanto.net
> Blog            : http://theriyanto.wordpress.com
> PGP Key ID      : 0xAC22DD11
> PGP Fingerprint : 470A FF01 B4CF 93A4 78E5 0EAC 0103 BC76 AC22 DD11
>
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
David Gomes Guimarães
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091203/5a9a1a13/attachment.html>


More information about the Snort-users mailing list