[Oisf-devel] filemd5?

Brant Wells bwells at tfc.edu
Thu Feb 16 20:05:46 UTC 2012 

On Thu, Feb 16, 2012 at 2:36 PM, Victor Julien <victor at inliniac.net> wrote:

> On 02/16/2012 08:08 PM, Brant Wells wrote:
> >>
> >>>> The first one: a growing single file or socket of JSON lines which a
> >>>> script can read from and execute actions based on.  I'd be happy to
> >>>> write such a script for plugins like CIF, Virustotal and malwr.com.
> >>
> >
> > I submitted a (set) of scripts to the list a few days ago, but have not
> > heard anything back.  I had the scripts attached as text files to the
> > message (are we not allowed to do that?).
>
> There are no pending moderator request. Are you sure you sent it to the
> correct list?


That's always possible...  I've reattached them to this email.  I have been
using the scripts for several weeks now.  The surilog script is where the
magic happens with the FIFO, et al.

The startsuricata is a script I use for starting Surilog, Suricata (and
BY2) since I'm terrible with init scripts, lol.

And the logrotate one is for log rotation.  I have mine set at 300megs /
daily.

See if those will work for what he's wanting.

Thanks!
~Brant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120216/48e6e677/attachment-0002.html>
-------------- next part --------------
makesidex.pl /etc/suricata/rules > /etc/suricata/oink.autodisable.conf
#oinkmaster.pl -C /etc/suricata/oinkmaster.conf -C /etc/suricata/oink.autodisable.conf -o /etc/suricata/rules/ > /tmp/oinkupdate.log
#oinkmaster.pl -C /etc/suricata/oinkmaster.conf -C /etc/suricata/oink.autodisable.conf -o /etc/suricata/rules/
create-sidmap.pl /etc/suricata/rules > /etc/suricata/sid-msg.map

killall barnyard2
killall -9 surilog
barnyard2 -c /etc/suricata/barnyard2.conf -f unified2.alert -l /var/log/suricata -o -w /etc/suricata/bylog.waldo -D

killall -9 suricata
surilog &
suricata -i eth0 --init-errors-fatal -c /etc/suricata/suricata.yaml -D

-------------- next part --------------
#!/bin/bash

LOGSOURCE="/var/log/suricata/http.log"
LOGFILE="/var/log/suricata/http_log.log"
#MYVAR=read line < $LOGSOURCE

if [ ! -p $LOGSOURCE ]; then
 echo "FIFO Buffers not found, creating it at $LOGSOURCE ...."
 rm $LOGSOURCE
 mkfifo $LOGSOURCE
fi

echo "Reading from $LOGSOURCE ...."
while true
do
 if read line <$LOGSOURCE; then 
  echo $line >> $LOGFILE
 fi
done

-------------- next part --------------
/var/log/suricata/http_log.log
{
	rotate 30
	daily
	missingok
	notifempty
	compress
	delaycompress
	sharedscripts
	size 300M
	postrotate
		invoke-rc.d rsyslog reload >/dev/null 2>&1 || true
	endscript
}

More information about the Oisf-devel mailing list