Since I am doing custom code I thought it would be better to post here instead
of the users list.
So far I have the the log parsing working perfectly as far as I know. But
PFDetect keeps closing after it reaches the end of the log file.
Here is the code I have put into the pfdetect file (I removed all the stock
SNORT REGEX stuff):
while (<$snortpipe_fh>)
# Commented this out to make the logs easier to read
# $logger->info("alert received: $_");
# if the record is an OSSEC record ignore it
if (index($_,"OSSEC") == -1) {
# split the string on the curly braces "{ }"
my @Step1 = split(m/[{}](?![^{}!()]*\))/,$_);
# The 5th element has the stuff we want, split that stuff up man!
my @Step2 = split(" ",$Step1[4]);
# There's the source IP
$srcip=$Step2[0];
# Wait, is that IP internal to my network? If not ignore that, violations
sourced outside my network are useless
my @IP = split('\.',$srcip);
if ($IP[0] != 10) {next;}
# Hey! There is the SNORT SID
$sid=$Step2[6];
# Looky! The description is here too!
$descr=$Step1[3];
} else {
$logger->warn("unknown input: $_ ");
next;
}
...
... (All of this is still stock)
...
}
All of this works, but I think what is happening is after it finished
processing the last record it closes the file and ends the process.
How do I keep the process going and waiting for more input even after it
processes the last record?
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-devel mailing list
PacketFence-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-devel
