0

i am using snort on my desktop and i want to see a pop-up window when a rule is triggered. I wrote my own rules in local.rules. I dont use any e-mail system so please ignore the mail option. logs are in the /var/log/snort/alerts file. is there any way to succeed this. when an alert is written the this file i want to see a graphical warn.i tried to write a bash script that checks the alerts file and when the hash is changed, pop-up last 10 lines with notify-send but i couldn't achive that.. please can you help me? Regards

hsevinc
  • 3
  • 3

1 Answers1

0

I think you could do something like the following:

#!/bin/sh

#Get current line count 
LINES=`wc -l /var/log/snort/alerts | tr -d -c 0-9`

while [ true ]
do
NEWCOUNT=`wc -l /var/log/snort/alerts | tr -d -c 0-9` #Get new line count
if [ $LINES != $NEWCOUNT ]
  then
    DIFF=`expr $NEWCOUNT - $LINES`      #Get the difference
    LINES=$NEWCOUNT                     #Set the line count to the new count
    COMMAND="$(tail -n "$DIFF" alert)"  #Get the output of the new lines in the file
    echo "$(notify-send "$DIFF new alerts: $COMMAND")"
    sleep 5  #sleep 5 seconds
fi
done

This will check for new alerts every 5 seconds, if you want to have it check constantly you can remove the sleep, but you may want to use a second or something. I'm no expert in bash, so there may be some cleaning up that you could do with this. One problem is that if there are multiple new alerts then notify-send will put the alerts on one line, I couldn't find a way around this but you might be able to with some modifications or you can just remove the second part and just have the alert tell you there are new alerts and not even display them.

johnjg12
  • 1,083
  • 8
  • 17
  • thank you very much. i was looking for something like this. i will try to modify and improve this. thanks again – hsevinc Feb 27 '15 at 11:59