satanklawz has asked for the wisdom of the Perl Monks concerning the following question:

Sofar everyone here has been really helpful, and has helped me complete 2 projects which I greatly appreciate. My question is this one:

Snort, the opensource IDS, can only output it's results to a file from my experience. Assuming what I just said is 100% true, this is my question: How would I go about constructin a perl script that reads from that file and only returns the changes from it? IE: the script would read it once, and then the next time it reads it the script returns only the differences (changes) to the logfile.

Sofar, what I have seen is seek() and I tell it to read from the EOF and backwards... But if that is the method, how does one get it to detect "Oh, I know that part... I read it from the last time i did analysis of this file."?

Any help is greatly appreciated.

russ

Replies are listed 'Best First'.
Re: Snort
by grep (Monsignor) on Jan 15, 2002 at 11:09 UTC
    Your tool has already been created on *nix (or cygwin). It's 'diff', 'diff' is an awsome little tool and fast. Just save the previous copy of what you want to compare to and 'diff prev_file current_file' It prints the differences between the 2.

    If you want to persue the perl solution for academic reasons. Copy a previous file. Open the previous file and current file read them into arrays and compare the 2 arrays.

    UNTESTED 
    #!/usr/bin/perl -w
use strict;

open (FH,"<prev_file") or die;
my @prev = <FH>;
close FH;

open (FH,"<current") or die;
my @current = <FH>;
close FH;

foreach (0 .. $#prev) {
    print $prev[$_] if ($prev[$_] ne $current[$_]);
}

    [download]


    Don't recreate a good wheel - apropos is your friend

    grep 
    grep> cd pub
grep> more beer

    [download]
[reply]
[d/l]
[select]
      Okay- thanks. Are there any other ways you can think of?
[reply]
        store the length of file in a temporary file, and then use that as the offset to seek into the file next time. If it doesn't put you back at the end of the file, then read all the new entries... then store the new length for the next check. Just make sure you check the return from the seek, as the log file may have been rotated between runs... in that case just read from the begining.
[reply]
        What don't you like about grep's solutions? His two points are completely valid. Is there something else that you are looking for?

        metadoktor

        "The doktor is in."

[reply]
Re: Snort
by Juerd (Abbot) on Jan 15, 2002 at 15:53 UTC
[reply]
[d/l]
Re: Snort
by mrbbking (Hermit) on Jan 15, 2002 at 19:02 UTC
    You might want to check out Tripwire, an application that notices when files change. Documentation for it is here.

    I have not used it myself - and it's not Perl - but it might be what you're looking for, even so.

[reply]
      Heheh, well, that isnt what I'm looking for. I do run tripwire, but it doesn't do IDS... it just monitors file changes. This is for an IDS project.
[reply]
Re: Snort output; report changes only?
by Anonymous Monk on Jan 16, 2002 at 22:07 UTC

    you may be wanting to do something like this:

    
use File::Tail;
my $fh = new File::Tail ('/var/log/mylog.log', #other params
) || die "can't find logfile";

my $report_every = (5 * 60);   # email every 5 minutes
my $last = now;                # 5 minutes before first report

while (<$fh>) {
  gather_statistics($_);
  if ( (now - $last_report) > $report_every ) {
     email_report();
     reset_counters();
     $last = now;
  }
}

    File::Tail will take care of log rotation. This can run as a daemon, watch all the stuff from the log line at a time, and report every so often. I've used something similar to monitor router logs. Be prepared for lot's of email.

    Snort does have the ability to log to syslog or a UNIX Socket which might suit your needs.

    If you're looking for *changes* (not additions) to the logs, diff is the answer.

[reply]

Back to Seekers of Perl Wisdom