I am using Snort and would like to use swatch so that when particular
attack occurs swatch runs that
script.
I need little advice here .. i want my script to parse out the IP
addresses from the same alert which
is triggered by rule..
Any descriptive ideas will be helpful or if somebody has ready script
shall be helpful to me before i
spend lots of time to reinvent the wheel.
You'll need to configure a swatch regex for Snort alerts so that it makes a
token out of the data you want to reference. Example:
Snort alert:
May 31 14:33:08 arnold snort[19228]: DNS named version attempt: 1.2.3.4:2888
-> 172.16.1.103:53
Swatch watchfor config:
watchfor /(^.* arnold snort.*:)(.*:
)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d{1,5}) \-\>
(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d{1,5})
throttle threshold=1,delay=0:1:0,key=$3
# exec "/opt/t00lz/spike.sh $3"
So the swatch config example takes a typical Snort syslog alert and makes
the following tokens with that fugly regex:
$1 - date, box, proc, pid
$2 - rule msg field
$3 - src IP
$4 - src port
$5 - dst IP
$6 - dst port
The second line makes $3 (src IP) the key, and the third line passes it as
argv[1] to /opt/t00lz/spike.sh. (This is an example - I don't actually DoS
folks that trigger Snort alerts.) The end result would be that swatch would
see the example alert and run '/opt/t00lz/spike.sh 1.2.3.4'
Make sense?
PaulM
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
