A simple snort alert log parser
This script presumes that the alert log has been rotated and compressed. I run it out of /etc/cron.daily after the logcheck and logrotation scripts have run.
If you want to exclude low-frequency events, change the 0 in the
awk expression to a threshold (ie 20).
#!/bin/bash
#
# This file runs post-rotation
# It lists the events by frequency
# man sort and man uniq to see what the flags do :)FILE=/var/log/snort/alert.1.gz
(
LINES=`zcat $FILE | wc -l`
zcat $FILE | sort -k 4 | uniq -s 21 -c -d | awk '$1 > 0 {print $0,"n"}' | sort -nr
echo
echo $FILE information:
ls -l $FILE
echo $LINES lines considered
) | mail -s "Snort report" root
(Based on
this.)