[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is snort-stat and 5snort really broken in sid?

sjk@dredel.com wrote:

What version are you using??
make sure the following line is in your snort.conf -- I think the debian
equiv is snort-lib:

output alert_syslog: LOG_AUTH


On 12 Sep, Andrew Pollock wrote:

Even if I run snort-stat manually on auth.log (after I've made snort start with
-s) it doesn't return anything when there are alerts in the log.

I found that after I set the following in snort.conf that the tool only reported *some* information (or none)

output alert_syslog: LOG_AUTH LOG_ALERT
# The only argument is the output file name.
output log_tcpdump: snort.log
output alert_smb: /etc/snort/smb.workstation.lst

The problem was that the regexp for finding a snort entry was slightly wrong.

Attached is a diff for snort-stat that cured it for me.



<     next if "$tmp_day" ne  $theday; # auth.log sometimes rotates weekly
>     next if "$tmp_day" ne $theday; # auth.log sometimes rotates weekly
< #  if (/^(\w{3})\s+(\d+)\s(\d+)\:(\d+)\:(\d+)\s([\w-]+)\ssnort(\[\d+\])?:\s+
< #      ([^:]+):\s([\d\.]+)[\:]*([\d]*)\s[\-\>]+\s([\d\.]+)[\:]*([\d]*)/ox)
< # Fix so we actually get some information...
<    if (/^(\w{3})\s+(\d+)\s(\d+)\:(\d+)\:(\d+)\s([\w-]+)\ssnort(\[\d+\])?:\s+
<        (.*):\s([\d\.]+)[\:]*([\d]*)\s[\-\>]+\s([\d\.]+)[\:]*([\d]*)/ox)
>   if (/^(\w{3})\s+(\d+)\s(\d+)\:(\d+)\:(\d+)\s([\w-]+)\ssnort(\[\d+\])?:\s+
>       ([^:]+):\s([\d\.]+)[\:]*([\d]*)\s[\-\>]+\s([\d\.]+)[\:]*([\d]*)/ox)
<       $sig =~ s/(\s+\[.*\])//;
<       push @result , [$month,$day,$hour,$minute,$second,$host,$sig,$saddr,,$sport,$daddr,$dport];
>       push @result , [$1,$2,$3,$4,$5,$6,$8,$9,$10,$11,$12];

Reply to: