[Dshield] snort_18_syslog.pl

Rick Hayes rhayes at vicor-nb.com
Thu Nov 1 16:51:55 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Has anyone been unable to get the snort 1.8 client to work on Linux
system?  I'm kinda new to this, but I am having no success.  

- -----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org] On
Behalf Of Peter Borner
Sent: Thursday, November 01, 2001 3:50 AM
To: dshield at dshield.org
Subject: RE: [Dshield] snort_18_syslog.pl


Ok. Thanks. However, this script only appears to work! It skips over
99% of the alerts in your syslog file. Johannes has just sent out a
survey asking for feedback. Perhaps we'll see some changes. I really
like the idea of Dshield but I simply don't have the time of Perl
expertise to make these clients work. IMHO if Dshield is going to work
as a concept then the clients need to be fixed so that all alerts are
logged accurately.

Peter.

- -----Original Message-----
From: Eric Rosander [mailto:erosander at matrixns.com]
Sent: 31 October 2001 18:39
To: dshield at dshield.org
Subject: RE: [Dshield] snort_18_syslog.pl

I have not had a chance to verify it, as my script works so I have not
had a need to download it.  I was going by this previous posting....

<snip>


*** PGP Signature Status: good
*** Signer: Johannes B. Ullrich <jullrich at euclidian.com> (Invalid)
*** Signed: 10/11/2001 7:12:29 PM
*** Verified: 10/12/2001 9:11:13 AM
*** BEGIN PGP VERIFIED MESSAGE ***


Thanks to Eric for reminding me. I posted the snort 1.8 client. To
download it directly:
http://www.dshield.org/clients/snort_dshield_18.tgz

it is build around the newer perl framework which allows for
source/target ip filtering and a few other gadgets.



- --
- -------
jullrich at sans.org                    Join http://www.DShield.org
                                     Distributed Intrusion Detection
System


*** END PGP VERIFIED MESSAGE ***

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield

</snip>

- -----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org] On
Behalf Of Peter Borner
Sent: Tuesday, October 30, 2001 5:07 AM
To: dshield at dshield.org
Subject: RE: [Dshield] snort_18_syslog.pl


Eric,

Do you want to double-check your response? I just downloaded the
tarball again... it's identical to the one I already have... and
funnily enough... it still doesn't work!

- -----Original Message-----
From: Eric Rosander [mailto:erosander at matrixns.com]
Sent: 30 October 2001 06:41
To: dshield at dshield.org
Subject: RE: [Dshield] snort_18_syslog.pl

Actually, he put the new script up on dshield.org the day you asked
about it. Try downloading it again, it should work.

- -----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org] On
Behalf Of Peter Borner
Sent: Monday, October 29, 2001 12:40 PM
To: dshield at dshield.org
Subject: RE: [Dshield] snort_18_syslog.pl


Johannes,

Have you made any progress with this yet?

Thanks,

Peter

- -----Original Message-----
From: Johannes B. Ullrich [mailto:jullrich at euclidian.com]
Sent: 18 October 2001 22:34
To: Dshield (E-mail)
Subject: Re: [Dshield] snort_18_syslog.pl

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> I am attempting to get snort_18_syslog.pl to work. I am not sure
which

> log file to point the program at. Do I point it at my syslog file or
my
> snort alert file?

I will spent some time over the next few days sorting out the various
snort log formats. I will focus on 1.8 (as I use it myself, and it is
now the prefered version) and see if I can come up with a parser that
recognizes the various formats.

Snort has a wide range of formats. I think we have parsers and scripts
for most of them, but they are not always clearly labled...




- - --
- - -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7z0rfVOIizK5pIDMRAkA0AJ9Yl5BKdS6ucPQCXmXaYcXDZbrSgwCffg9A
jBafMPQkXNcTzDK5bXzowP0=
=pN31
- -----END PGP SIGNATURE-----

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i

iQA/AwUBO+F9qk6dKXAzPT9/EQIVGQCdHzJb5OxAH3fF4POdswoj7VOUxr8AnjBY
BklqKDKxoO2DZD+364H0dw6L
=5raQ
-----END PGP SIGNATURE-----




More information about the list mailing list