Hi all,
I had to work on a project using snort (network intrusion detection tool) with the need for a daily report on the events reported by snort. Logwatch being for me the best solution I created a snort plugin attached to this ticket. By default the plugin reports all priority events from 3 to 5. With --detail set to Med priority 2 are reported too and value High reports also priority 1.
Here is a sample of report:
$ /usr/sbin/logwatch --service snort --range All --detail Med
################### Logwatch 7.5.6 (07/23/21) ####################
Processing Initiated: Sat Mar 18 09:27:28 2023
Date Range Processed: all
Detail Level of Output: 10
Type of Output/Format: stdout / text
Logfiles for Host: inspiron-14
##################################################################
--------------------- Snort Begin ------------------------
Priority 3:
-----------
16 times:
[01/17-15:31:21 +/-13 seconds] "PROTOCOL-ICMP PING", ICMP
2 times:
[01/17-15:31:25 +/-0 seconds] "(port_scan) TCP filtered portscan", TCP
[01/17-15:31:28 +/-0 seconds] "(arp_spoof) unicast ARP request", ARP
Priority 2:
-----------
3 times:
[01/18-09:58:57 +/-2 minute(s)] BAD-TRAFFIC same SRC/DST, UDP
1 times:
[01/18-10:01:07] BAD-TRAFFIC same SRC/DST, IPV6-ICMP
---------------------- Snort End -------------------------
###################### Logwatch End #########################
It works with snort 2.x and 3.x.
Hoping that it will be integrated in next logwatch release.
Best regards
Here is a new version of the patch with a fix on time generation and fixes on comments.
Thanks for submitting the files.