For When You Can't Have The Real Thing
[ start | index | login ]
start > snort > Snort Alert Log Parser

Snort Alert Log Parser

Created by dave. Last edited by dave, 9 years and 20 days ago. Viewed 3,255 times. #2
[diff] [history] [edit] [rdf]
labels
attachments

A simple snort alert log parser

This script presumes that the alert log has been rotated and compressed. I run it out of /etc/cron.daily after the logcheck and logrotation scripts have run.

If you want to exclude low-frequency events, change the 0 in the awk expression to a threshold (ie 20).

#!/bin/bash
#
# This file runs post-rotation
# It lists the events by frequency
# man sort and man uniq to see what the flags do :)

FILE=/var/log/snort/alert.1.gz ( LINES=`zcat $FILE | wc -l` zcat $FILE | sort -k 4 | uniq -s 21 -c -d | awk '$1 > 0 {print $0,"n"}' | sort -nr echo echo $FILE information: ls -l $FILE echo $LINES lines considered ) | mail -s "Snort report" root

(Based on >>this.)

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt