jsage at finchhaven.com
Mon Oct 29 21:58:41 GMT 2001
I've just got snort_18_syslog.pl working, pointing at /var/log/messages
snort-1.8.1-RELEASE build 74 is being started with:
snortREL -b -i ppp0 -c /usr/local/snort-1.8.1-RELEASE/snortREL.conf &
and snortREL.conf has in it:
output alert_syslog: LOG_DAEMON LOG_ALERT
# output alert_full
output alert_full: /var/log/snort/alertREL.full
which is what I've been using since 1.7
Anyway, I didn't have to mess with the parser at all, other than figure
out which file (/var/log/messages or /var/log/snort/alertREL.full) it
would look at without puking..
I did specify the full path to the log file in dshield.cnf (which I
I had some trouble puzzling out *where* the tmp file was determined to
be, and finally fixed that by putting the full *path* in dshield.cnf as
"tmp=/usr/local/dshield", and setting the file *name* in
snort_18_syslog.pl as "$tmpfile=dshield.$$.tmp"
Try adding -d up at #!/usr/bin/perl -s -w to run in perl debug mode:
you can pick up a lot of how it works, and step through it line by line
and see where it doesn't work a lot easier...
Peter Borner wrote:
> Have you made any progress with this yet?
> -----Original Message-----
> From: Johannes B. Ullrich [mailto:jullrich at euclidian.com]
> Sent: 18 October 2001 22:34
> To: Dshield (E-mail)
> Subject: Re: [Dshield] snort_18_syslog.pl
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>>I am attempting to get snort_18_syslog.pl to work. I am not sure which
>>log file to point the program at. Do I point it at my syslog file or
>>snort alert file?
> I will spent some time over the next few days sorting out the various
> snort log formats. I will focus on 1.8 (as I use it myself, and it is
> the prefered version) and see if I can come up with a parser that
> recognizes the various formats.
> Snort has a wide range of formats. I think we have parsers and scripts
> most of them, but they are not always clearly labled...
> - --
> - -------
> jullrich at sans.org Join http://www.DShield.org
> Distributed Intrusion Detection System
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> -----END PGP SIGNATURE-----
More information about the list