Stellarcore.net
Search: Google
Whois
 Links of the Moment: Nekochan  Apple Computers

This is the log rotation script and nightly report generator that I use with snort. It is missing the final purge section which is different from install to install. The original client I wrote this for had a 23gb var partition, and the machines only purpose was to run snort, so it was no problem keeping the tar files around for over a year.

You'll notice I use snort_stat.pl to generate the reports. I did a fair amount of testing and found snort_stat.pl by Yen-Ming Chen to be good choice, plus it is was easy to modify where needed. Check out http://www.snort.org/dl/contrib/data_analysis/ for this file and more.

The other piece of code you'll see referenced is the ids_mailer.pl which is simply a secure sendmail interface to send out the nightly reports. I'm not going to post it at this time since there is really nothing to be learned from it.

#!/bin/sh

# Shell script for IDS user cron job which will
# handle generating reports via snort_stat.pl
# and email the results via ids_mailer.pl
#
# Written by Mike Tremaine  
# Copyright 12/12/2002

###########################
#Check date if its 1st of month
#Tar up all .reports into a monthly tar.gz
#Todo:
#Question is how long to keep the monthly tar? 12months?
#last thing should be to remove 13month ago tar from each?

#Globals
check_day=`date +%e`
month_label=`date -d yesterday +%Y-%m`
date=`date -d yesterday +%Y-%m-%d`
last_week=`date -d -192hours +%Y-%m-%d`
last_month=`date -d -1month +%Y-%m`

###########################
#Get yesterday in log file format (see my snortd) -mgt

if ! [ -f /var/log/snort/ids_reports/$date.report ]; then
	cat /var/log/snort/logs_$date/alert | /var/log/snort/bin/snort_stat.pl -r > \
	/var/log/snort/ids_reports/$date.report
	/var/log/snort/bin/ids_mailer.pl $date 
fi

###########################
#Next tar up log directory from 7days ago
cd /var/log/snort

if [ -d /var/log/snort/logs_$last_week ]; then
	tar cfz /var/log/snort/logs_$last_week.tar.gz ./logs_$last_week/

	if [ -s /var/log/snort/logs_$last_week.tar.gz ]; then
		rm -r -f ./logs_$last_week
	fi
fi

#########################
#Tar up reports if its the 1st

if [ $check_day = 1 ] &&  [ -f /var/log/snort/ids_reports/$date.report ]; then
	cd /var/log/snort/ids_reports
	tar cfz /var/log/snort/ids_reports/$month_label.tar.gz ./$month_label-*.report

	if [ -s /var/log/snort/ids_reports/$month_label.tar.gz ]; then
		rm -f ./$month_label-*.report
	fi
fi

##########################
#Next create monthly tars to hold dailies
#ON the 15th

if [ $check_day = 15 ] && \
	[ -f /var/log/snort/logs_$last_month-15.tar.gz ]; then
	tar cf /var/log/snort/logs_$last_month.tar ./logs_$last_month-*.tar.gz

	if [ -s /var/log/snort/logs_$last_month.tar ]; then
		rm -f ./logs_$last_month-*.tar.gz
	fi
fi


exit 0