问题
i am using snort on my desktop and i want to see a pop-up window when a rule is triggered. I wrote my own rules in local.rules. I dont use any e-mail system so please ignore the mail option. logs are in the /var/log/snort/alerts file. is there any way to succeed this. when an alert is written the this file i want to see a graphical warn.i tried to write a bash script that checks the alerts file and when the hash is changed, pop-up last 10 lines with notify-send but i couldn't achive that.. please can you help me? Regards
回答1:
I think you could do something like the following:
#!/bin/sh
#Get current line count
LINES=`wc -l /var/log/snort/alerts | tr -d -c 0-9`
while [ true ]
do
NEWCOUNT=`wc -l /var/log/snort/alerts | tr -d -c 0-9` #Get new line count
if [ $LINES != $NEWCOUNT ]
then
DIFF=`expr $NEWCOUNT - $LINES` #Get the difference
LINES=$NEWCOUNT #Set the line count to the new count
COMMAND="$(tail -n "$DIFF" alert)" #Get the output of the new lines in the file
echo "$(notify-send "$DIFF new alerts: $COMMAND")"
sleep 5 #sleep 5 seconds
fi
done
This will check for new alerts every 5 seconds, if you want to have it check constantly you can remove the sleep, but you may want to use a second or something. I'm no expert in bash, so there may be some cleaning up that you could do with this. One problem is that if there are multiple new alerts then notify-send will put the alerts on one line, I couldn't find a way around this but you might be able to with some modifications or you can just remove the second part and just have the alert tell you there are new alerts and not even display them.
来源:https://stackoverflow.com/questions/28676484/how-can-i-generate-immediate-pop-up-when-a-traffic-matched-with-a-snort-rule