Ok, since i am scripting first-timer i want to apology in advance if any of my ideas are way off.

What i am trying to achieve is a script that can listen for alerts from snort. When snort triggers an alert then i want my script to do nothing for X seconds, and after that period of time i want the script to copy a bunch of files (tcpdump-files and possibly the snort-log) to a newly created folder.

So in some sort of meta-code i am trying to achieve something like this:

If/When snort triggers an alert
{
Wait 5 minutes
Create a new folder /A/B/N (here i would need to name the folder in YYMMDD-HHMM format i believe)
Copy all files at /S/D/ to /A/B/N
Copy file F to /A/B/N
}

So the next time snort triggers an alert this script would create yet another folder and copy the files i want to that folder.

So, does anyone of you know if this is possible using shellscript?
If it is, can anyone perhaps show an example or help me in any way ?

Thanks in advance !

/F

Definitely possible. Use the date command to get the YYMMDD-HHMM format. Then use cp to copy the files across. Something like this:

while true; do
   if [ alert_triggerred -eq 1 ]; then
      sleep 300   # sleep for five minutes
      datestamp=$(date +%y%m%d%H%M)
      mkdir /path/to/dest/$datestamp  # create directory as reqd.
      # you can also run anything else that you require here
      cp /path/to/source/* /path/to/dest/$datestamp/  # copy reqd. files
      cp /path/to/single_file /path/to/dest/$datestamp/
      # or here or anywhere else in the loop
   fi
done

Wow!

I managed to get the file and folder handling working. And when i came back to this computer i saw that your code snippet did the same thing in about one third of the number of lines that I had so needles to say im going to use your version.

Thank you very much for your help. (The feeling when these things finally work as intended is ...sweet).

There's only one tiny problem left.
Does anyone know how i actually manage to get it to kick off when snort alerts? After a few tests I dont seem to get that part working.

i.e I dont really understand the part: "alert_triggered -eq 1".

Would it require me to set up some variable(alert_triggered) that is hooked on to snort and listens for alerts? (Or is this alerter functionality already built-in and waiting for me somewhere in linux)

Any ideas on how this can be done? (Or did i miss something in the example?)
If i need to somehow hook a listener to snort...well im kind of lost so examples will be immensely appreciated .

/F

By alert_triggered -eq 1, I just meant that if the alert is triggered. See, I have never used snort, I don't even know what it does. So hooking up the alert with your script will have to be done by you, or may be someone else here has used snort and will help you.

Cheers