Posts Tagged snort

Hey guys, I’d like to share a script I wrote to make reporting simpler for Snort. Snort is an open source intrusion detection / prevention system. It blocks or detects packets based on rules. Its an awesome security tool to see exactly what is going on in your network and offers great protection if you decide to put it in prevention mode. And its all free!

I installed it on my very old compaq computer which runs Ubuntu server edition. Didn’t really have a reason, just wanted to see how it works…will be getting rid of it soon since it slows down the network (Counter Strike and Snort don’t mix).

Anyway, to check the logs I had to ssh to the compaq (that computer has no monitor) and manually go through the logs. Usually the same event would’ve tripped 400 times in a row. Scrolling through all of this and logging into the compaq everytime was a pain. So I wrote a bash script that bundled the same events together, output the number of times they occured and emailed this information to me everyday. Now all I had to do was check my email. I also added a threshold so it would only email rules that tripped at least 20 times.

I’m sure this method isn’t as efficient as some of the other parsers that are out there…but this one’s awesome since I made it! Here it is…

Read the rest of this entry »