Installing SnortAlog with Snort Log Intrusion Detection System Rotation | A non-stock, non-profit organization composed of individuals dedicated to promoting open source software. Batangas, Philippines">
Google
 
Web boss-ph.blogspot.com

Tuesday, December 12, 2006

Installing SnortAlog with Snort Log Intrusion Detection System Rotation

Installing SnortAlog with Snort Log Rotation

This document will show you how to generate Snort Report Logs weekly in a pdf file and automatic Snort Log rotation after you generate your weekly snort log.


1. Download the latest SnortAlog at http://jeremy.chartier.free.fr/snortalog/downloads/snortalog/

#wget http://jeremy.chartier.free.fr/snortalog/downloads/snortalog/snortalog_v2.4.0.tgz

#tar –xvzf snortalog_v2.4.0.tgz

2. Download and install the Requirements of SnortAlog found at

http://jeremy.chartier.free.fr/snortalog/download.html

3. This is an edited script that I found on the mailing list of Snort. My promiscuous Ethernet card is eth1

snort_log_rotation

#

# Logfile rotation script for snort writen by jameso@elwood.net.

#

# This script is pretty basic. We start out by setting some vars.

# Its job is tho rotate the days logfiles, e-mail you with what

# it logged, keep one weeks worth of uncompressed logs, and also

# keep compressed tgz files of all the logs. It is made to be run

# at midnight everynight. This script expects you to have a base

# dir that you keep all of your logs, rule sets etc in. You can

# see what sub dirs it expects from looking at the var settings

# below.

#

# Things to note in this script is that we run this script at 12

# every night, so we want to set the dirdate var the day the script

# runs minus a day so we label the files with the correct day. We

# Then create a dir for the days logs, move the log files into

# todays dir. As soon as that is done restart snort so we don't miss

# anything. Then delete any logs that are uncompressed and over a

# week old. Then compress out todays logs and archive them away, and

# end up by mailling out the logs to you.

#

# Define where you have the base of your snort install

#snortbase=/usr/snort

snortbase=/var/log/snort

# Define other vars

# logdir - Where the logs are kept

# oldlogs - Where you want the archived .tgz logs kept

# weeklogs - This is where you want to keep a weeks worth of log files uncompressed

# dirdate - Todays Date in Month - Day - Year format

# olddirdate - Todays date in the same format as dirdate, minus a week

logdir=$snortbase

oldlogs=$snortbase/oldlogs

weeklogs=$snortbase/weeklogs

# When I first wrote this script, I only ran it on BSD systems. That was a

# mistake, as BSD systems have a date command that apperently lets you walk the

# date back pretty easily. Well, some systems don't have this feature, so I had

# to change the way that dates are done in here. I left in the old way, because

# it is cleaner, and I added in a new way that should be portable. If anyone

# has any problems, just let me know and I will try to fix it.

#

# You have to change the system var to either bsd or other. Set it to bsd if

# your system supports the "-v" flag. If you are not sure, set it to other.

system=other

if [ $system = bsd ]

then

dirdate=`date -v -1d "+%m-%d-%y"`

olddirdate=`date -v -8d "+%m-%d-%y"`

else [ $system = other ]

month=`date "+%m"`

yesterday=`expr \`date "+%d"\` - 1`

eightday=`expr \`date "+%d"\` - 8`

year=`date "+%y"`

dirdate=$month-$yesterday-$year

olddirdate=$month-$eightday-$year

fi

# Create the Dir for todays logs.

if [ ! -d $weeklogs/$dirdate ]

then

mkdir $weeklogs/$dirdate

fi

# Move the log files into todays log dir. This is done with

# a for loop right now, because I am afriad that if alot is

# logged there may be to many items to move with a "mv *"

# type command. There may a better way to do this, but I don't

# know it yet.

for logitem in `ls $logdir` ; do

mv /var/log/snort/$logitem $weeklogs/$dirdate

done

# Kill and restart snort now that the log files are moved.

#kill `cat /var/run/snort_fxp0.pid`

pid=`ps -ef | grep 'snort -i eth1' | grep -v grep | awk '{print $2}'`

kill -9 $pid

# Restart snort in the correct way for you

#/usr/local/bin/snort -i fxp0 -d -D -h homeiprange/28 -l /usr/snort/log \

#-c /usr/snort/etc/08292k.rules > /dev/null 2>&1

/usr/local/bin/snort -i eth1 -c /etc/snort/snort.conf -D > /dev/null 2>&1

# Delete any uncompressed log files that over a week old.

if [ -d $weeklogs/$olddirdate ]

then

rm -r $weeklogs/$olddirdate

fi

# Compress and save the log files to save for as long as you want.

# This is done in a sub-shell because we change dirs, and I don't want

# to do that within the shell that the script runs in.

cd $weeklogs; tar zcvf $oldlogs/$dirdate.tgz $dirdate > /dev/null 2>&1

# Mail out the log files for today.

#cat $weeklogs/$dirdate/snort.alert | mail -s "Snort logs" you@domain.com

#cat $weeklogs/$dirdate/snort_portscan.log |

# mail -s "Snort portscan logs" you@do

#main.com

snortalog_rotation

month=`date "+%m"`

yesterday=`expr \`date "+%d"\` - 1`

eightday=`expr \`date "+%d"\` - 8`

year=`date "+%y"`

dirdate=$month-$yesterday-$year

./snortalog.pl -file /var/log/snort/alert -r -report -o $dirdate.pdf

./snort_log_rotation

snort_log_rotation and snortalog_rotation script was saved and given an execute permission inside the folder of snortalog. You can play with the other options that has comment on the script.

#./snortalog_rotation << style=""> then it will restart Snort and recreate Snortlog file at /var/log/snort/. Add this on your weekly cronjobs

posted by penoi at 6:30 PM

0 Comments:

Post a Comment

<< Home