in reply to Snort output; report changes only?

Your tool has already been created on *nix (or cygwin). It's 'diff', 'diff' is an awsome little tool and fast. Just save the previous copy of what you want to compare to and 'diff prev_file current_file' It prints the differences between the 2.

If you want to persue the perl solution for academic reasons. Copy a previous file. Open the previous file and current file read them into arrays and compare the 2 arrays.

UNTESTED 
#!/usr/bin/perl -w
use strict;

open (FH,"<prev_file") or die;
my @prev = <FH>;
close FH;

open (FH,"<current") or die;
my @current = <FH>;
close FH;

foreach (0 .. $#prev) {
    print $prev[$_] if ($prev[$_] ne $current[$_]);
}

[download]


Don't recreate a good wheel - apropos is your friend

grep 
grep> cd pub
grep> more beer

[download]

Replies are listed 'Best First'.
Re: Re: Snort
by satanklawz (Beadle) on Jan 15, 2002 at 11:14 UTC
    Okay- thanks. Are there any other ways you can think of?
[reply]
      store the length of file in a temporary file, and then use that as the offset to seek into the file next time. If it doesn't put you back at the end of the file, then read all the new entries... then store the new length for the next check. Just make sure you check the return from the seek, as the log file may have been rotated between runs... in that case just read from the begining.
[reply]
      What don't you like about grep's solutions? His two points are completely valid. Is there something else that you are looking for?

      metadoktor

      "The doktor is in."

[reply]
        Well, my only concern is this. Let's say the snort log file gets to be 25 megs in size, it dups it. Thus, 50 meg's of HD space. That's my only concern. I do agree that that method works, I'm just wondering if there is another one that doesnt tie up as many system resources and the such.
[reply]

In Section Seekers of Perl Wisdom