Skip to content

Instantly share code, notes, and snippets.

@jeffgeiger

jeffgeiger/SNORT_README.md

Last active June 10, 2016 14:57
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jeffgeiger/7d45b9de769c8a242d347a5c90d77a77 to your computer and use it in GitHub Desktop.
Save jeffgeiger/7d45b9de769c8a242d347a5c90d77a77 to your computer and use it in GitHub Desktop.
Download ZIP
Snort fixes for ROCKNSM.
Raw
snort_cleanup.sh
#!/bin/bash
COUNT=$(ls -ltr /data/snort/snort.alert.* | awk '{print $NF}' | wc -l)
OLDCOUNT=$(( COUNT - 1 ))
for i in $(ls -ltr /data/snort/snort.alert.* | awk '{print $NF}' | head -$OLDCOUNT); do
#DEBUG
#echo $i
mv "$i" /data/snort/OLD/
done
exit 0
Raw
SNORT_README.md

BLUF

These changes should keep snort and bro working together in ROCK. I've tested it on 3 production instances and it's held up for almost 2 weeks.

Create the dir for old snort logs
mkdir /data/snort/OLD

Add the snort_cleanup.sh (content below)
vim /usr/local/bin/snort_cleanup.sh # Insert content
chmod +x /usr/local/bin/snort_cleanup.sh

Add a cron entry to run the cleanup
crontab -e # Add the following:

#Snort Cleanup
58 * * * * /usr/local/bin/snort_cleanup.sh > /var/log/snort_cleanup.log 2>&1

Modify the snort config
Find the alert_unified2 output line and replace it with this:
output alert_unified2: filename snort.alert, limit 10

Restart snort
systemctl restart snortd

Move the old snort log
mv /data/snort/snort.alert /data/snort/OLD/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment