ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Best regards - and by the way, don't be afraid to ask (in this case or any other thread) what some code does, so next time you may have a better understanding how it is actually working, or how to approach a similar problem. The awk man page is very good as man pages go, but man pages don't always explain absolutely everything, especially when you're new to things like awk. So if anything (I have posted here) is a mystery to you, ask and I will be happy to explain.
Cheers.
Last edited by GrapefruiTgirl; 11-26-2010 at 02:07 PM.
OK, looks like you're a post or two behind me, so I'll wait to see how you make out with my previous offerings about the "COMMUNITY SIP" part. Meanwhile, as a test to see how many entries are in the alertpause file and clear it if it contains more than 10 entries, I might do something like this:
that used `wc -l` to count lines in the file; if there are more than 10 (-gt means "greater than"), it clears the file.
HOWEVER: If you wish to have entries steadily accumulating in the file, you will probably intend to use >> instead of > when you are outputting the awk results into the alertpause file. That way, by using >> it will not empty the file every time it writes to it; it will append instead.
Additional hint: you could also use `rm -f alertpause` to delete the file, instead of `echo > alertpause`.
Best regards - and by the way, don't be afraid to ask (in this case or any other thread) what some code does, so next time you may have a better understanding how it is actually working, or how to approach a similar problem. The awk man page is very good as man pages go, but man pages don't always explain absolutely everything, especially when you're new to things like awk. So if anything (I have posted here) is a mystery to you, ask and I will be happy to explain.
Cheers.
Yippe..Thank You again GrapefruiTgirl for your understanding with my situation.. I'm really really appreciate with it.. Currently I'm newbie in Linux for about this 3 month and it's still on going...I'm in love with this 'Penguin'..yeah, about man pages, I have read few things about awk and sed, and I'm still in the basic learning progress..I've also read the books (Linux Shell Scripting with Bash- Ken O Burtch)- this is a good book, I think- for newbie like me ...anyway thank you for your basic until expert suggestion to me..you make me become from zero to hero..thanks again GrapefruiTgirl..
I'm still not sure yet about my code...it will works or not...
It will not work as is, no.
-- you omitted the "$" in front of the $(cat alertpause | wc -l)
-- you use a lowercase 's' first, then below, you used an uppercase "S". Careful of case! It is important.
-- you need a space between any [ or ] and the code within. So: [ $S ] instead of [$S ]
-- variable assignments must have no spaces. So: s=$(something...) instead of s = $(something)
-- you're missing an fi to go with the if statement.
-- you're counting the lines in the file, THEN overwriting it, THEN testing against the OLD line count, which is now invalid.
-- finally, I wonder, why do you check and delete the file immediately after just writing to it? Wouldn't you want to either examine the data before deleting the file, OR check the file FIRST to see if it has 10 entries, clear it if needed, and THEN dump new data into it? Maybe you plan it this way, but it doesn't make sense.
Last edited by GrapefruiTgirl; 11-26-2010 at 02:20 PM.
-- you omitted the "$" in front of the $(cat alertpause | wc -l)
-- you use a lowercase 's' first, then below, you used an uppercase "S". Careful of case! It is important.
-- you need a space between any [ or ] and the code within. So: [ $S ] instead of [$S ]
-- variable assignments must have no spaces. So: s=$(something...) instead of s = $(something)
-- you're missing an fi to go with the if statement.
-- finally, I wonder, why do you check and delete the file immediately after just writing to it? Wouldn't you want to either examine the data before deleting the file, OR check the file FIRST to see if it has 10 entries, clear it if needed, and THEN dump new data into it? Maybe you plan it this way, but it doesn't make sense.
Code:
s = '$(cat alertpause | wc -l)'
awk 'BEGIN{RS="\n\n"; FS="\n"}
{
gsub(" COMMUNITY","",$1);c=split($1,one," ");
for (x=3;x<c;x++){printf one[x] " "};
gsub("^.*] ","",$2); printf $2 " " $3 "\n";
}' snortlog > alertpause
if [$s > 10 ] ; then
rm -f alertpause
else
snortlog > alertpause
fi
I wonder, why do you check and delete the file immediately after just writing to it? Wouldn't you want to either examine the data before deleting the file, OR check the file FIRST to see if it has 10 entries, clear it if needed, and THEN dump new data into it? Maybe you plan it this way, but it doesn't make sense.
yes, absolutely I would to check it first, - also I would like to sent it with my python sms gateway program.
The algorithm/procedure should be like this:
Check the FILE FIRST to see if it has 10 entries
Calling my python program (directory ex /home/andrewraharjo/Desktop/sendingsms.py) to send first 3 alert in alertpause
Clear after 10 entries OR LOG the files into new directory (ex: alertpause.1)
here's my python sms code;
Code:
#!/usr/bin/env python
# Testing support ke nokia 6610
# basis minicom dan AT Command
# program untuk mengirim pesan
# Andrew Raharjo
import sys
import time
import serial
#definisi untuk port serial
def command(device,cmd):
device.flush()
device.write(cmd)
time.sleep(0.2)
wait=device.inWaiting()
read=device.read(wait)
result=read.strip().split('\r\n')
return result
def sendSMS(device,number,text):
#cek komunikasi AT command
command(device,'AT\r')
time.sleep(0.2)
#OK
#komunikasi dalam mode Protocol Data Unit
command(device,'AT+CMGF=1\r')
time.sleep(0.2)
#OK
command(device,'AT+CMGS="%s"\r'%(number))
time.sleep(0.2)
#OK
#masukkan text
#baca file
command(device,'%s\n'%(text))
time.sleep(0.2)
#OK
#program selesai
command(device, chr(26)) #Definisi untuk CTRL+Z
#main program
if __name__=='__main__':
try:
#mengembalikan nilai dari input- reverse input return value
number=sys.argv[1]
f=open('/home/andrewraharjo/Desktop/alertpause','r') #here's the file alertpause should be sent by sms
text=f.read()
#chr(26) CTRL+Z
except:
#perintah apabila no belum dimasukkan
#text and usage for text
print 'usage : %s <number> <text>'%(sys.argv[0])
sys.exit(1)
try:
#perintah untuk komunikasi dengan serial USB
#to comm from serial port
dev=serial.Serial(port='/dev/ttyUSB0')
except Exception, e:
print e
sys.exit(2)
#sending sms
#sendSMS(dev,number)
sendSMS(dev,number,text)
dev.close()
Last edited by andrapgm03; 11-26-2010 at 02:28 PM.
Is there a command called "snortlog", or is this the name of your script?
there isn't..hmm..it should be command , shouldn't it ? so how to it keep logging ? to alert pause..
there's also another problem that I'm curious about, sending sms file it's about 160 character length so what should I do to make the all log in alertpause to sent it by sms (which I meant for parse the sms into 2 part if it has a long log message)
OK, we're getting piled up with new aspects to the problem here.
Let's deal with the 160 character length, as well as moving files to alertpause.1, alertpause.2, etc.., and whatever that confusion is about "how to keep it logging", for later, after the existing code is sorted out.
Here's an example code that you should be able to tailor to suit whatever it is you're doing here, by inserting or moving the various parts around. The comments should help you:
Code:
#!/bin/bash
# check if 'alertpause' exists;
# see if there are more than 10 lines in the file:
# if there are, delete the file or whatever action you like.
if [ -f alertpause ]; then
S=$(cat alertpause | wc -l)
if [ $S -gt 10 ]; then
: # this line can be removed if you put some real code inside this if/fi statement.
# There are more than 10 entries in the file. Do something here, such
# as maybe run that python program.
fi
fi
# let's touch the alertpause file to make sure it exists, so we don't get a
# file not found error from awk later:
touch alertpause
# now run the awk, and dump new data into alertpause file. We will APPEND
# the data to any pre-existing file, i.e. if the file did not get deleted
# at the start, we will now add some more lines to it:
awk 'BEGIN{RS="\n\n"; FS="\n"}
{
gsub(" COMMUNITY","",$1);c=split($1,one," ");
for (x=3;x<c;x++){printf one[x] " "};
gsub("^.*] ","",$2); printf $2 " " $3 "\n";
}' snortlog >> alertpause
# Now, if you like, let's display our new alertpause file on screen, using `less`.
# you could do whatever you want with the file.. Maybe use that python program now??
less alertpause
# Done
Use that as some sort of template perhaps.
For the record, I know next to zero Python, so if you end up needing help with that, you probably will need a new thread and a new assistant for it.
there isn't..hmm..it should be command , shouldn't it ? so how to it keep logging ? to alert pause..
there's also another problem that I'm curious about, sending sms file it's about 160 character length so what should I do to make the all log in alertpause to sent it by sms (which I meant for parse the sms into 2 part if it has a long log message)
here's the total idea:
Code:
snort running in daemon mode and logging @/var/log/snort/alert
if (there's an attack)
alert parsed by bash command
alert saved @/var/log/snort/alertpause
if (alertpause <= 160 character alert)
sent by sms python-calling python sending sms procedure
else
parse the file into 2 sms
if (alertpause <=10 trigger alert)
Log into alertpause.1
else
remove the files
fi
snort keep running in daemon mode
all the script running in daemon mode so it would run automatic
Last edited by andrapgm03; 11-28-2010 at 12:06 PM.
OK, we're getting piled up with new aspects to the problem here.
Let's deal with the 160 character length, as well as moving files to alertpause.1, alertpause.2, etc.., and whatever that confusion is about "how to keep it logging", for later, after the existing code is sorted out.
Here's an example code that you should be able to tailor to suit whatever it is you're doing here, by inserting or moving the various parts around. The comments should help you:
Code:
#!/bin/bash
# check if 'alertpause' exists;
# see if there are more than 10 lines in the file:
# if there are, delete the file or whatever action you like.
if [ -f alertpause ]; then
S=$(cat alertpause | wc -l)
if [ $S -gt 10 ]; then
: # this line can be removed if you put some real code inside this if/fi statement.
# There are more than 10 entries in the file. Do something here, such
# as maybe run that python program.
fi
fi
# let's touch the alertpause file to make sure it exists, so we don't get a
# file not found error from awk later:
touch alertpause
# now run the awk, and dump new data into alertpause file. We will APPEND
# the data to any pre-existing file, i.e. if the file did not get deleted
# at the start, we will now add some more lines to it:
awk 'BEGIN{RS="\n\n"; FS="\n"}
{
gsub(" COMMUNITY","",$1);c=split($1,one," ");
for (x=3;x<c;x++){printf one[x] " "};
gsub("^.*] ","",$2); printf $2 " " $3 "\n";
}' snortlog >> alertpause
# Now, if you like, let's display our new alertpause file on screen, using `less`.
# you could do whatever you want with the file.. Maybe use that python program now??
less alertpause
# Done
Use that as some sort of template perhaps.
For the record, I know next to zero Python, so if you end up needing help with that, you probably will need a new thread and a new assistant for it.
LOL.....it's no problem about Python..All I want to do is about to share my code and my idea ..You've helped me a lot, and I'm very very pleased about it...I've been learning this stuff for running 6 months..and nobody in here understand my big problem..Thank's for the help and for the template..I will try..
You should be able to use the latest script I posted above, and adjust it and add things to it, to produce at least very close to working code, to perform the routine you mention above. Put your code together, insert comments (as place fillers) for items that you don't know how to do, and I or someone else will try to continue to help as time allows. Mind you it's Friday evening in much of the world, so less people tend to be sitting around on their computers, and on LQ, available to help, so be patient.
Good luck - I'll have a look later on and see what's up!
You should be able to use the latest script I posted above, and adjust it and add things to it, to produce at least very close to working code, to perform the routine you mention above. Put your code together, insert comments (as place fillers) for items that you don't know how to do, and I or someone else will try to continue to help as time allows. Mind you it's Friday evening in much of the world, so less people tend to be sitting around on their computers, and on LQ, available to help, so be patient.
Good luck - I'll have a look later on and see what's up!
Well I have read through all that has been going on a few times and as far as I can tell my following question has not yet been addressed:
I believe that the snortlog is ever growing so each time you execute the awk script part you will not only get more than 10 entries but (assuming we run from first creation of log file) the first
10 entries will always be the same ones. So my question is, shouldn't you be utilising tail at some point to only deliver the most recent 10 entries?
One item I would like to add is an adjustment to the following (which may no longer be around based on GGirl's last script, but when zeroing a file to no entries the following:
Code:
echo > alertlog
This will create a single line blank entry in the file. May I suggest:
Code:
: > alterlog
You can test the difference with:
Code:
wc -l alterlog
I bring this up as if you keep the following test:
Code:
S=$(cat alertpause | wc -l)
if [ $S -gt 10 ]; then
This will be true with only 9 real entries and a blank line at the top.
Well I have read through all that has been going on a few times and as far as I can tell my following question has not yet been addressed:
I believe that the snortlog is ever growing so each time you execute the awk script part you will not only get more than 10 entries but (assuming we run from first creation of log file) the first
10 entries will always be the same ones. So my question is, shouldn't you be utilising tail at some point to only deliver the most recent 10 entries?
One item I would like to add is an adjustment to the following (which may no longer be around based on GGirl's last script, but when zeroing a file to no entries the following:
Code:
echo > alertlog
This will create a single line blank entry in the file. May I suggest:
Code:
: > alterlog
You can test the difference with:
Code:
wc -l alterlog
I bring this up as if you keep the following test:
Code:
S=$(cat alertpause | wc -l)
if [ $S -gt 10 ]; then
This will be true with only 9 real entries and a blank line at the top.
yes the idea of snort alerting to be logged in a new single file is a big problem, here..I tried many times- with manipulating Grape script- I've found a lot of curiosity with my snort alerting. It will appears and add new alert, so my big question is "What should I do to run a read script go on with snort running alert ?"
Probably this is break down algorithm;
Code:
new snort alert @/var/log/snort/alert
while (there's a new line on snort alert)
do
print the last line on alertpause
call python sms program
if (alertpause > 10 entries)
then
remove alertpause
else
keep logged and printed in [new format]
Should I make a new bash script for this main alert ?
Well I have read through all that has been going on a few times and as far as I can tell my following question has not yet been addressed:
I believe that the snortlog is ever growing so each time you execute the awk script part you will not only get more than 10 entries but (assuming we run from first creation of log file) the first
10 entries will always be the same ones. So my question is, shouldn't you be utilising tail at some point to only deliver the most recent 10 entries?
One item I would like to add is an adjustment to the following (which may no longer be around based on GGirl's last script, but when zeroing a file to no entries the following:
Code:
echo > alertlog
This will create a single line blank entry in the file. May I suggest:
Code:
: > alterlog
You can test the difference with:
Code:
wc -l alterlog
I bring this up as if you keep the following test:
Code:
S=$(cat alertpause | wc -l)
if [ $S -gt 10 ]; then
This will be true with only 9 real entries and a blank line at the top.
here's the manipulation with the code, please correct me if I'm wrong
Code:
#!/bin/bash
# check if 'alertpause' exists;
# see if there are more than 10 lines in the file:
# if there are, delete the file or whatever action you like.
if [ -f alertpause ]; then
S=$(cat alertpause | wc -l | echo alertlog)
if [ $S -gt 10 ]; then
#how to run python program in here ? calling python maybe ?python /home/andrewraharjo/belajar-python/smsgateway.py "<cellphone number>"
# this line can be removed if you put some real code inside this if/fi statement.
# There are more than 10 entries in the file. Do something here, such
# as maybe run that python program.
fi
fi
# let's touch the alertpause file to make sure it exists, so we don't get a
# file not found error from awk later:
touch alertpause
# now run the awk, and dump new data into alertpause file. We will APPEND
# the data to any pre-existing file, i.e. if the file did not get deleted
# at the start, we will now add some more lines to it:
awk 'BEGIN{RS="\n\n"; FS="\n"}
{
gsub(" COMMUNITY","",$1);c=split($1,one," ");
for (x=3;x<c;x++){printf one[x] " "};
gsub("^.*] ","",$2); printf $2 " " $3 "\n";
}' snortlog >> alertpause
# Now, if you like, let's display our new alertpause file on screen, using `less`.
# you could do whatever you want with the file.. Maybe use that python program now??
less alertpause
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
