Re: Is snort-stat and 5snort really broken in sid?
sjk@dredel.com wrote:
What version are you using??
make sure the following line is in your snort.conf -- I think the debian
equiv is snort-lib:
output alert_syslog: LOG_AUTH
--sjk
On 12 Sep, Andrew Pollock wrote:
Even if I run snort-stat manually on auth.log (after I've made snort start with
-s) it doesn't return anything when there are alerts in the log.
I found that after I set the following in snort.conf that the tool only
reported *some* information (or none)
output alert_syslog: LOG_AUTH LOG_ALERT
# The only argument is the output file name.
output log_tcpdump: snort.log
output alert_smb: /etc/snort/smb.workstation.lst
The problem was that the regexp for finding a snort entry was slightly
wrong.
Attached is a diff for snort-stat that cured it for me.
Regards,
/James
49c49
< next if "$tmp_day" ne $theday; # auth.log sometimes rotates weekly
---
> next if "$tmp_day" ne $theday; # auth.log sometimes rotates weekly
81,86c81,82
< # if (/^(\w{3})\s+(\d+)\s(\d+)\:(\d+)\:(\d+)\s([\w-]+)\ssnort(\[\d+\])?:\s+
< # ([^:]+):\s([\d\.]+)[\:]*([\d]*)\s[\-\>]+\s([\d\.]+)[\:]*([\d]*)/ox)
< # Fix so we actually get some information...
< if (/^(\w{3})\s+(\d+)\s(\d+)\:(\d+)\:(\d+)\s([\w-]+)\ssnort(\[\d+\])?:\s+
< (.*):\s([\d\.]+)[\:]*([\d]*)\s[\-\>]+\s([\d\.]+)[\:]*([\d]*)/ox)
<
---
> if (/^(\w{3})\s+(\d+)\s(\d+)\:(\d+)\:(\d+)\s([\w-]+)\ssnort(\[\d+\])?:\s+
> ([^:]+):\s([\d\.]+)[\:]*([\d]*)\s[\-\>]+\s([\d\.]+)[\:]*([\d]*)/ox)
92,94c88
<
< $sig =~ s/(\s+\[.*\])//;
<
---
>
96a91
>
98c93
< push @result , [$month,$day,$hour,$minute,$second,$host,$sig,$saddr,,$sport,$daddr,$dport];
---
> push @result , [$1,$2,$3,$4,$5,$6,$8,$9,$10,$11,$12];
Reply to: