Re: Is snort-stat and 5snort really broken in sid?

[James Nord <teilo@teilo.net>]

sjk@dredel.com wrote:

> What version are you using??
> make sure the following line is in your snort.conf -- I think the debian
> equiv is snort-lib:
>
> output alert_syslog: LOG_AUTH
>
> --sjk
>
> On 12 Sep, Andrew Pollock wrote:
>
> > Even if I run snort-stat manually on auth.log (after I've made snort start with
> > -s) it doesn't return anything when there are alerts in the log.

I found that after I set the following in snort.conf that the tool only 
reported *some* information (or none)

output alert_syslog: LOG_AUTH LOG_ALERT
# The only argument is the output file name.
output log_tcpdump: snort.log
output alert_smb: /etc/snort/smb.workstation.lst

The problem was that the regexp for finding a snort entry was slightly 
wrong.

Attached is a diff for snort-stat that cured it for me.

Regards,

   /James

49c49
<     next if "$tmp_day" ne  $theday; # auth.log sometimes rotates weekly
---
>     next if "$tmp_day" ne $theday; # auth.log sometimes rotates weekly
81,86c81,82
< #  if (/^(\w{3})\s+(\d+)\s(\d+)\:(\d+)\:(\d+)\s([\w-]+)\ssnort(\[\d+\])?:\s+
< #      ([^:]+):\s([\d\.]+)[\:]*([\d]*)\s[\-\>]+\s([\d\.]+)[\:]*([\d]*)/ox)
< # Fix so we actually get some information...
<    if (/^(\w{3})\s+(\d+)\s(\d+)\:(\d+)\:(\d+)\s([\w-]+)\ssnort(\[\d+\])?:\s+
<        (.*):\s([\d\.]+)[\:]*([\d]*)\s[\-\>]+\s([\d\.]+)[\:]*([\d]*)/ox)
< 
---
>   if (/^(\w{3})\s+(\d+)\s(\d+)\:(\d+)\:(\d+)\s([\w-]+)\ssnort(\[\d+\])?:\s+
>       ([^:]+):\s([\d\.]+)[\:]*([\d]*)\s[\-\>]+\s([\d\.]+)[\:]*([\d]*)/ox)
92,94c88
<       
<       $sig =~ s/(\s+\[.*\])//;
< 
---
>  
96a91
> 	
98c93
<       push @result , [$month,$day,$hour,$minute,$second,$host,$sig,$saddr,,$sport,$daddr,$dport];
---
>       push @result , [$1,$2,$3,$4,$5,$6,$8,$9,$10,$11,$12];