[Dshield] Are these log lines right?

Dan Colquhoun dcolquho at opentext.com
Wed Aug 8 21:17:44 GMT 2001


Indeed, I'm using the 'full' form of logging.  I now see the allusion to the
log format required by the "Match liberaly" statement.  I'm using snort 1.7,
here's an example of a full log entry:

[**] IDS243/web-cgi_http-cgi-pipe [**]
08/08-16:58:27.694965 0:0:77:94:10:16 -> 0:50:FC:20:AE:EA type:0x800
len:0x3B8
24.253.203.222:2706 -> 24.42.8.96:80 TCP TTL:116 TOS:0x0 ID:12158 IpLen:20
DgmLen:938 DF
***AP*** Seq: 0x81A8F846  Ack: 0xBB842CC5  Win: 0x16D0  TcpLen: 20

I know such a tiny amount of Perl it's sad, but perhaps someone could modify
the parser to handle the full logging format and submit it.  What I did do
was modify how it handles the ROTATE, by including delete and restarting
snort to regenerate the alert file.  My example is here:

if ( $finish =~ /ROTATE/i ) {
    $t=time();
    system("cp $logfile $logfile.$t");
    system("rm $logfile");
    system("kill -HUP `cat /var/run/snort_eth1.pid`");
}

Hope that helps some people.  Otherwise just using ROTATE would leave the
old logfile in place and your submissions would include everything that
should have been rotated out.  Possibly you could use ROTATE with DELETE,
but that's not intuitive and I didn't test or know if that would work.

> -----Original Message-----
> From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
> Behalf Of Johannes B. Ullrich
> Sent: August 8, 2001 10:44 AM
> To: DShield
> Subject: Re: [Dshield] Are these log lines right?
>
>
>
> > 2001-08-07 14:27:33 -04:00	99184672	1	0	0
> 0	50	24.116.83.4:3752
>
> This does not look right. The source/target IP and port is missing.
> Make sure you use the right Snort parser for the type of log you are
> parsing. Snort uses a variety of different output formats (syslog, full,
> portscan, XML ...)
>
> --
> -------
> jullrich at sans.org                    Join http://www.DShield.org
>                                      Distributed Intrusion
> Detection System
>
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list