[Dshield] snort_18_syslog.pl

John Sage jsage at finchhaven.com
Mon Oct 29 21:58:41 GMT 2001


Peter, Johannes:

I've just got snort_18_syslog.pl working, pointing at /var/log/messages

snort-1.8.1-RELEASE build 74 is being started with:

snortREL -b -i ppp0 -c /usr/local/snort-1.8.1-RELEASE/snortREL.conf &

and snortREL.conf has in it:

#
output alert_syslog: LOG_DAEMON LOG_ALERT
# output alert_full
output alert_full: /var/log/snort/alertREL.full

which is what I've been using since 1.7


Anyway, I didn't have to mess with the parser at all, other than figure 
out which file (/var/log/messages or /var/log/snort/alertREL.full) it 
would look at without puking..

I did specify the full path to the log file in dshield.cnf (which I 
renamed..)

I had some trouble puzzling out *where* the tmp file was determined to 
be, and finally fixed that by putting the full *path* in dshield.cnf as 
"tmp=/usr/local/dshield", and setting the file *name* in 
snort_18_syslog.pl as "$tmpfile=dshield.$$.tmp"

Try adding -d up at  #!/usr/bin/perl -s -w  to run in perl debug mode: 
you can pick up a lot of how it works, and step through it line by line 
and see where it doesn't work a lot easier...

- John


Peter Borner wrote:

> Johannes,
> 
> Have you made any progress with this yet?
> 
> Thanks,
> 
> Peter
> 
> -----Original Message-----
> From: Johannes B. Ullrich [mailto:jullrich at euclidian.com]
> Sent: 18 October 2001 22:34
> To: Dshield (E-mail)
> Subject: Re: [Dshield] snort_18_syslog.pl
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
>>I am attempting to get snort_18_syslog.pl to work. I am not sure which
>>log file to point the program at. Do I point it at my syslog file or
>>
> my
> 
>>snort alert file?
>>
> 
> I will spent some time over the next few days sorting out the various
> snort log formats. I will focus on 1.8 (as I use it myself, and it is
> now
> the prefered version) and see if I can come up with a parser that
> recognizes the various formats.
> 
> Snort has a wide range of formats. I think we have parsers and scripts
> for
> most of them, but they are not always clearly labled...
> 
> 
> 
> 
> - --
> - -------
> jullrich at sans.org                    Join http://www.DShield.org
>                           Distributed Intrusion Detection System
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE7z0rfVOIizK5pIDMRAkA0AJ9Yl5BKdS6ucPQCXmXaYcXDZbrSgwCffg9A
> jBafMPQkXNcTzDK5bXzowP0=
> =pN31
> -----END PGP SIGNATURE-----






More information about the list mailing list