[Dshield] snort_18_syslog.pl

John Sage jsage at finchhaven.com
Sat Nov 10 18:05:32 GMT 2001


Sue:

I just want to clarify what thread we're on, here...

...you *are* using snort_18_syslog.pl?

And which snort?

You've said:

"My e-mail is Windows, but I have Snort 1.8 running on Redhat 7.1 
sending output to /var/log/messages."

Is this snort-1.8.1-RELEASE? Which build? When I say "snort -V" it shows 
I'm running build 74...

Regarding snort_18_syslog.pl..

I had to tinker a bit with:

1) where the tmp file wanted to be
2) where the .cnf file was expected to be found

I explicitly declared the *path* to the tmp file in the .cnf:

tmp=/usr/local/dshield

and declared the tmp file by name in the *.pl script:

$tmpfile="dshield.$$.tmp" unless $tmpfile;

and this seemed to work.



What snort_18_syslog.pl is seeing in my /var/log/messages:

Nov 10 06:48:15 greatwall snort: [1:0:0]
 UDP from range 1026-60999 {UDP}
 216.163.82.67:1046 -> 12.82.137.132:1025
Nov 10 06:48:16 greatwall snort: [1:0:0]
 UDP from range 1026-60999 {UDP}
 216.163.82.67:1046 -> 12.82.137.132:1025


seems to vary from what you are showing in that you've got the pid 
between 'snort' and the trailing ':' -- see my feeble attempt to 
understand the parser, below...


Nov  4 05:32:20 peregrine snort[11512]: [1:0:0]
 IDS297/web-misc_http-directory-traversal1 [Classification: system 
integrity attempt] [Priority: 11]: {TCP}
 63.106.111.142:3407 -> xxx.yyy.zzz.12:80
Nov  4 05:32:20 peregrine snort[11512]: [1:0:0]
 IDS297/web-misc_http-directory-traversal1 [Classification: system 
integrity attempt] [Priority: 11]: {TCP}
 63.106.111.142:3424 -> xxx.yyy.zzz.12:80


I believe the parser is saying:

<snip>

if ($line=~/^      # if $line contains at its beginning
   ([A-Z][a-z]{2})  # the character class [A to Z] or [a to z] at least 
two times {2}

which should match the month; put it in $1

 +(\d{1,2})  # followed by one-or-more spaces ' +';
              # followed by a \d digit at least once and no more than twice

which should match the day-of-month; put it in $2;

 (\d{2}):(\d{2}):(\d{2})  # followed by a space ' ';
                           # followed by 
two-digits-semicolon-two-digits-semicolon
                           #   two-digits
                           # put these in $3, $4, $5

which should match hour-hour ($3) minute-minute ($4) second-second ($5)


.*snort:.*\{([A-Z]+)\} # followed by any one character any number of times,
                        #   including zero times;
                        # followed by 'snort:'

<snip>

and there's the problem..


And let's stop here, because while the parser is wanting explicitly 
'snort:' your logs are offering 'snort[pid]:' and the line's being 
skipped...


So you may want to edit .*snort:.*\{([A-Z]+)\} to be something like:

.*snort\[.*\]:.*\{([A-Z]+)\}


To allow for the brackets before the colon, and see what happens..


..or not, 'cause I'm just getting started with Perl and regular 
expressions, and I *could* be totally off the wall, here ;-)


Anyone who actually *knows* something about Perl/regex, please feel free 
to shoot me down, but please explain why so I can learn something, too...


- John



Sue Young wrote:

> I'm trying the published snort client and having no luck.
> It doesn't catch anything in the messages log.  I was wondering
> whether the rulbase you use  matters.  I like Whitehats better
> than the snort rules.  Could that be the problem?  I could switch
> back to the snort rulebase.
> 
> Sue Young
> smyatgcmlpdotcom
> 





More information about the list mailing list