Snort mailing list archives

RE: Snort-Swatch

From: "Keaton, Lindamaria" <LKeaton () unionsafe com>
Date: Fri, 26 Sep 2003 17:24:56 -0700

Do you have a start-up script for this?

logsurfer -c /etc/logsurfer/alert.conf \
           -d /etc/logsurfer/alert.dump \
           -p /var/run/logsurfer_alert.pid \
           -f /var/log/snort/alert

-----Original Message-----
From: Edin Dizdarevic [mailto:edin.dizdarevic () interActive-Systems de] 
Sent: Tuesday, September 23, 2003 2:54 PM
To: Keaton, Lindamaria
Cc: jon baer; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort-Swatch



Weell...
(freezing my knoppix.... ;)

logsurfer is a quite easy tool to use. I don't know if this is the right
place to explain the whole thing, since it already has a good
documentation - including usage examples. It continuously watches the
logfile you define, although it also has a single-shot mode. You may
want to get some information out of your old logfiles that way. It uses
regular expressions to match a line you may be interessted in. You may,
however also define what should not be in the line, which gives you the
possibility to match the lines in a highly focused, specific context,
since error messages - for which you may be looking - sometimes look
similar to other error messages which may produce some confusion.

The other nice thing is the possibility to collect the messages in a
kind of container and do something with them at once - for example to
mail several login attempts at once wild or all invalid packets from
your iptables ruleset - just an example. These container are also called
a "context" - pretty self explanatory. I use this possibility for apache
in order to catch a whole session after a specific event has occured -
internal server error, for example.

So, the configuration syntax is like this:

match_regex match_not_regex line_limit timeout_abs timeout_rel
default_action

default action may be:

ignore, exec, pipe, report (see the man page for more information)

So with this rule a priority 1 alerts will be collected and mailed to
you (and everything else will be ignored):

###
# logsurfer config for Snort's alert file
# Avoid empty lines, use '#' instead
#
# Report only priority 1 alerts for now (put this in one line best)
'\[Classification: (.*)\] \[Priority: 1\]' - - - 0 open
(.*) - 3 5 - pipe
"/bin/mail -s \"\[IDS SENSOR 1\] ALERT: Snort detected a Priority 1 
security incident\" security () jonbaer net"
#
# Ignore the rest
'(.*)' - - - 0 ignore
###

Save this in a file /etc/logsurfer/alert.conf and run logsurfer like
this (possibly not as root):

logsurfer -c /etc/logsurfer/alert.conf \
           -d /etc/logsurfer/alert.dump \
           -p /var/run/logsurfer_alert.pid \
           -f /var/log/snort/alert

There is a possibility to tell logsurfer to process the file from a
specific line. That is nice since the alert file may be quite big. In
that case try something like this (using su to run logsurfer as user
nobody here):

$ su nobody -c "/usr/local/bin/logsurfer \
             -c /etc/logsurfer/alert.conf \
             -l `wc -l /var/log/snort/alert | awk '{print $1}'`\
             -d /etc/logsurfer/alert.dump \
             -p /var/run/logsurfer_alert.pid \
             -f /var/log/snort/alert &"

So, my emails look like this:

[Classification: Web Application Attack] [Priority: 1]
09/11/03-12:14:28.282758 0:2:B3:C7:D:E1 -> 0:6:5B:8F:9D:1F type:0x800 
len:0x27C
172.16.0.1:43070 -> 172.16.0.254:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 
DgmLen:622
***AP*** Seq: 0x88C22700  Ack: 0xE6FDE3E3  Win: 0x88E0  TcpLen: 20

Now, it's ACID's turn...

Hope could help,

Regards,
Edin

Keaton, Lindamaria wrote:

No I don't have to you use swatch



-- 
Edin Dizdarevic



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Snort-Swatch, (continued)
- Re: Snort-Swatch jon baer (Sep 19)
- Re: Snort-Swatch Erek Adams (Sep 19)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 23)
  - Re: Snort-Swatch Edin Dizdarevic (Sep 23)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 23)
  - Re: Snort-Swatch Edin Dizdarevic (Sep 23)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 25)
  - Re: Snort-Swatch Sir Fenix (Sep 25)
  - Re: Snort-Swatch Edin Dizdarevic (Sep 25)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 25)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 26)
  - Re: Snort-Swatch Edin Dizdarevic (Sep 27)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 29)
  - Single Snort instance with multiple configurations (output) Jukka Juslin (Sep 30)
    - Re: Single Snort instance with multiple configurations (output) Matt Kettler (Sep 30)