in reply to Help with Snort and File::Tail

use File::Tail;

my $tail = File::Tail->new("/some/log/file");

my @alert;
while (defined(my $line = $file->read)) {
   if ($line =~ /^=\+=/) {
       process_alert(\@alert);
       @alert = ();
   } else {
       push @alert, $line;
   }
}

process_alert(\@alert) if @alert;

[download]

Replies are listed 'Best First'.
Re^2: Help with Snort and File::Tail
by Anonymous Monk on Jun 22, 2011 at 13:00 UTC
    Ah. This is pretty good. So in the process_alert, it would just be tailored to process ONE of the alerts rather than a whole group?
[reply]

      You asked how to "read each alert". You haven't been clear as to what you consider an alert, but I presume what you posted is an example of one. If that's the case, then I gave code that does what you ask.

      Even less clear is "I read @array = <SNORTFILE> so this would be in an array format.", which I took to mean you wanted the alert in an array, one element per line. It would just as easy to extract each alert as a (multiline) string, if that's what you prefer.

      You also asked how to parse the alert, but you didn't specify what information you wanted to extract, so I didn't touch that.

[reply]
[d/l]
        I posted the code I have on my initial post. If you're looking at it and see something you don't understand let me know. Otherwise I don't care too much about conventions and stuff. I'll worry about making some subroutines and stuff like that after I get everything working. But it seems to freeze or something and I can't figure out why...
[reply]
Re^2: Help with Snort and File::Tail
by Anonymous Monk on Jun 22, 2011 at 13:06 UTC
    And this might be a really stupid question but what is the \ in process_alert(\@alert)? Is that how you pass in a parameter in Perl? (Sorry, total novice).
[reply]

      \@alert creates a reference to the array @alert, and the reference is indeed being passed as an argument to a to-be-provided sub process_alert.

[reply]
[d/l]
[select]
Re^2: Help with Snort and File::Tail
by Anonymous Monk on Jun 22, 2011 at 15:03 UTC

    Another probably stupid question.... What is the process_alert(\alert) if @alert;? Is this not a subroutine? can I just do

    sub process{ my @array = @_; }

[reply]
      Yes, you can do that. ikegami's code passed a reference to the array, which is better if the array is large, or necessary if you are passing multiple arguments (e.g. multiple arrays) to a function. I'm not sure it matters here. And then the sub would be something like:
      sub process {
  my $alert = shift;
  print "$_" for @$alert;
  # Or (since I'm not sure what you're doing with this)
  for my $line (@$alert) {
    # process $line of alert
  }
}

      [download]
      If you asking about the 'if @alert' part, then that's just like:
      if (@alert) {
  process(@alert)
}

      [download]
      and the array (@alert) is true in boolean context if it contains any elements (false if it has zero, of course).
[reply]
[d/l]
[select]
        Ahhh. I see that was very helpful. Thank you. Would this add to the end of an output file if at the end of my sub I just do like "print WRITEFILE xxxx"? When I ran the perl script on the same document twice (before I implemented this File::Tail stuff) the 2nd time it overwrote the first part in WRITEFILE. How can I insure every new alert gets added to the end of the output file rather than the most recent alert overwriting the older ones?
[reply]

In Section Seekers of Perl Wisdom