当流量与snort规则匹配时，如何生成立即弹出窗口 [英] how can i generate immediate pop-up when a traffic matched with a snort rule

问题描述

我在我的桌面上使用snort，我想在触发规则时看到一个弹出窗口。我在local.rules中编写了自己的规则。我不使用任何电子邮件系统，因此请忽略邮件选项。日志位于/ var / log / snort / alerts文件中。有什么方法可以成功做到这一点。当警报写入此文件时，我想查看图形化的warn.i试图编写一个bash脚本来检查警报文件，并且当哈希更改时，使用notify-send弹出最后10行，但我无法达到那个..请你能帮我吗？
问候

i am using snort on my desktop and i want to see a pop-up window when a rule is triggered. I wrote my own rules in local.rules. I dont use any e-mail system so please ignore the mail option. logs are in the /var/log/snort/alerts file. is there any way to succeed this. when an alert is written the this file i want to see a graphical warn.i tried to write a bash script that checks the alerts file and when the hash is changed, pop-up last 10 lines with notify-send but i couldn't achive that.. please can you help me? Regards

推荐答案

我认为您可以执行以下操作：

I think you could do something like the following:

#!/bin/sh

#Get current line count 
LINES=`wc -l /var/log/snort/alerts | tr -d -c 0-9`

while [ true ]
do
NEWCOUNT=`wc -l /var/log/snort/alerts | tr -d -c 0-9` #Get new line count
if [ $LINES != $NEWCOUNT ]
  then
    DIFF=`expr $NEWCOUNT - $LINES`      #Get the difference
    LINES=$NEWCOUNT                     #Set the line count to the new count
    COMMAND="$(tail -n "$DIFF" alert)"  #Get the output of the new lines in the file
    echo "$(notify-send "$DIFF new alerts: $COMMAND")"
    sleep 5  #sleep 5 seconds
fi
done

这将每5秒检查一次新警报，如果您希望不断检查它，可以删除睡眠，但是您可能需要使用第二次或者其他的东西。我不是bash方面的专家，因此可能需要进行一些清理。
一个问题是，如果有多个新警报，那么notify-send会将警报放在一行上，我找不到解决方法，但是您可以进行一些修改，或者只删除第二部分，只是让警报告诉您有新警报，甚至不显示它们。

This will check for new alerts every 5 seconds, if you want to have it check constantly you can remove the sleep, but you may want to use a second or something. I'm no expert in bash, so there may be some cleaning up that you could do with this. One problem is that if there are multiple new alerts then notify-send will put the alerts on one line, I couldn't find a way around this but you might be able to with some modifications or you can just remove the second part and just have the alert tell you there are new alerts and not even display them.

这篇关于当流量与snort规则匹配时，如何生成立即弹出窗口的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！