[Dshield] snort_18_syslog.pl

Peter Borner peter at borner.org.uk
Tue Oct 30 12:45:03 GMT 2001


John,

Thanks for the reply. I've tried pointing at the various files with
varying results. The problem seems to be that most of the alerts are
skipped because the parser doesn't recognise the format of the entries.
I also log to a MySQL database. I've got approx 30K alerts logged. The
snort_18_syslog.pl sees less than 1% of the alerts. Maybe it would be
easier to write a script to pull the alerts out of the database and
submit them to Dshield?

Peter


-----Original Message-----
From: John Sage [mailto:jsage at finchhaven.com]
Sent: 29 October 2001 21:59
To: dshield at dshield.org
Subject: Re: [Dshield] snort_18_syslog.pl

Peter, Johannes:

I've just got snort_18_syslog.pl working, pointing at /var/log/messages

snort-1.8.1-RELEASE build 74 is being started with:

snortREL -b -i ppp0 -c /usr/local/snort-1.8.1-RELEASE/snortREL.conf &

and snortREL.conf has in it:

#
output alert_syslog: LOG_DAEMON LOG_ALERT
# output alert_full
output alert_full: /var/log/snort/alertREL.full

which is what I've been using since 1.7


Anyway, I didn't have to mess with the parser at all, other than figure
out which file (/var/log/messages or /var/log/snort/alertREL.full) it
would look at without puking..

I did specify the full path to the log file in dshield.cnf (which I
renamed..)

I had some trouble puzzling out *where* the tmp file was determined to
be, and finally fixed that by putting the full *path* in dshield.cnf as
"tmp=/usr/local/dshield", and setting the file *name* in
snort_18_syslog.pl as "$tmpfile=dshield.$$.tmp"

Try adding -d up at  #!/usr/bin/perl -s -w  to run in perl debug mode:
you can pick up a lot of how it works, and step through it line by line
and see where it doesn't work a lot easier...

- John


Peter Borner wrote:

> Johannes,
>
> Have you made any progress with this yet?
>
> Thanks,
>
> Peter
>
> -----Original Message-----
> From: Johannes B. Ullrich [mailto:jullrich at euclidian.com]
> Sent: 18 October 2001 22:34
> To: Dshield (E-mail)
> Subject: Re: [Dshield] snort_18_syslog.pl
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
>>I am attempting to get snort_18_syslog.pl to work. I am not sure which
>>log file to point the program at. Do I point it at my syslog file or
>>
> my
>
>>snort alert file?
>>
>
> I will spent some time over the next few days sorting out the various
> snort log formats. I will focus on 1.8 (as I use it myself, and it is
> now
> the prefered version) and see if I can come up with a parser that
> recognizes the various formats.
>
> Snort has a wide range of formats. I think we have parsers and scripts
> for
> most of them, but they are not always clearly labled...
>
>
>
>
> - --
> - -------
> jullrich at sans.org                    Join http://www.DShield.org
>                           Distributed Intrusion Detection System
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE7z0rfVOIizK5pIDMRAkA0AJ9Yl5BKdS6ucPQCXmXaYcXDZbrSgwCffg9A
> jBafMPQkXNcTzDK5bXzowP0=
> =pN31
> -----END PGP SIGNATURE-----



_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2295 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20011030/d196d9b3/smime.bin


More information about the list mailing list