[Dshield] test of dshield_snort.pl gives nothing

Eric Rosander erosander at matrixns.com
Thu Aug 9 03:08:14 GMT 2001


I sent a copy of my logs, et al, to Johannes already.  I PGP'd them up, so I
hope he gets them OK.  It would be great if we could get this going.  I have
a few snort sensors on the borders of a couple of my clients and I'd like to
get the logs up to dshield.  Lots of good CodeRed stuff.

Since we are on the subject, I use the snort.conf "plugin" modules to
configure my log output and the snortd script created by the .rpm to
start/stop snort, etc.  I modified the snortd startup line as follows:

start)
        echo -n "Starting snort: "
        daemon /usr/sbin/snort -u snort -g snort -z all -d -D \
                -i $INTERFACE -l /var/log/snort -c /etc/snort/snort.conf
        touch /var/lock/subsys/snort
        echo
        ;;
I then use the output in snort.conf:

output alert_syslog: LOG_AUTH LOG_ALERT
output log_tcpdump: snort.log

in 1.7 this created /var/log/snort/snort.log files and outputs to messages.
This same config in 1.8p1 creates a time stamped log file, example
0727 at 1201-snort.log and messages.  I have been pointing the dshield_snort.pl
files to /var/log/messages as this is text and not binary.  Is there a good
way to get dshield output from a binary snort.log?

BTW:  I have tried logs from a command line: snort -Afull -l
/var/log/snort - got a good sized ASCII file, and tried the same script
against that and still received a blank email.

-Eric


-----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of Kenneth McKinlay
Sent: Wednesday, August 08, 2001 6:01 PM
To: dshield at dshield.org
Cc: jullrich at euclidian.com
Subject: RE: [Dshield] test of dshield_snort.pl gives nothing


Johannes et al.,

If you want, I am willing to look at the dshield_snort.pl routine and
attempt to get it to handle both the fast and the full log formats.

At the office I have access to both Snort 1.7 and 1.8 formats and I
can easily set it up to gather a lot of traffic from my internal
network so I have a good sample for processing.

Also, I sort of want to start using Snort to handle the feed to
Dshield so this is a good reason to ignore the users and do something
worth while. :-)

Ken McKinlay, GCIA
Ottawa, Canada


From:           	"Johannes B. Ullrich" <jullrich at euclidian.com>
To:             	<dshield at dshield.org>
Subject:        	RE: [Dshield] test of dshield_snort.pl gives nothing
Send reply to:  	dshield at dshield.org
	<mailto:dshield-request at dshield.org?subject=subscribe>
	<mailto:dshield-request at dshield.org?subject=unsubscribe>
Date sent:      	Wed, 8 Aug 2001 17:40:25 -0400 (EDT)

>
> Coudl one of you please send me a quick log sample so I can do some
> debugging here?
>
>
> On Wed, 8 Aug 2001, Eric Rosander wrote:
>
> > I just decided to test this out for myself and got the same results.
> >  The email has the correct submission Subject line, etc., but the
> > email body is completely blank.  No data.  It may not be reading the
> > 1.8p1 alerts correctly?  Unfortunately I am not a perl expert, just
> > a leach.  Anyone else want to take a stab at it?
> >
> > Eric Rosander
> > erosander at matrixns.com
> >
> > -----Original Message-----
> > From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
> > Behalf Of Matt Harrell Sent: Tuesday, August 07, 2001 11:09 AM To:
> > dshield at dshield.org Subject: [Dshield] test of dshield_snort.pl
> > gives nothing
> >
> >
> > I'm finally getting around to setting up the Dshield script for
> > Snort on my Linux security box.  When I do a test run, sending the
> > e-mail to myself, I get the correct subject line, but there's
> > nothing else--just a blank body and no attachment.  I have it
> > pointing at the right log file, and it creates the copy of the log,
> > but I get nothing in the e-mail. What should I be getting in the
> > e-mail?  Thanks.
> >
> > Matt Harrell
> > Plexus Systems
> > mhar at plex-sys.com
> >
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www1.dshield.org/mailman/listinfo/dshield
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www1.dshield.org/mailman/listinfo/dshield
> >
>
> --
> -------
> jullrich at sans.org                    Join http://www.DShield.org
>                                    Distributed Intrusion Detection
>                                    System
>
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www1.dshield.org/mailman/listinfo/dshield


_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list