[Dshield] the dshield snort programs

Wayne Larmon wlarmon at dshield.org
Thu Aug 22 14:30:21 GMT 2002


> I am curious,
>
> I'm using snort with a bunch of the supplied rules, but when
> using the test wrapper I get:
>
> -------------------------------Processing line
> 2-------------------------------
> PARSING: Aug 15 00:33:07 nexus snort[3673]: [1:1256:3] WEB-IIS CodeRed v2
> root.exe access [Classification: Web Application Attack] [Priority: 1]:
> {TCP} 213.84.89.211:2117 -> 213.84.207.11:80
> SKIPPING: Failed non-ICMP parse
>
> Am I missing a prerequisite not documented somewhere (or documented
> and not noticed)?

The regular expression that parses the log line was overly restrictive.  The
line in question is

if ($line=~/^([A-Z][a-z]{2}) +(\d{1,2})
(\d{2}):(\d{2}):(\d{2}).*snort:.*\{([A-Z]+)\} ([0-9.]*):(\d+) ->
([0-9.]*):(\d+)$/)

'snort:' is the portion that was causing the problem.  It failed because
your log lines have 'snort[3673]:'  The log samples we used before had
'snort:'  So the regexs needs to skip over zero or more characters between
the 't' in 'snort' and the ':"  '?*' does this, so I changed it to be
'snort?*:, so that now the regex is

if ($line=~/^([A-Z][a-z]{2}) +(\d{1,2})
(\d{2}):(\d{2}):(\d{2}).*snort?*:.*\{([A-Z]+)\} ([0-9.]*):(\d+) ->
([0-9.]*):(\d+)$/)

You can make this change in your copy of snort_18_syslog.pl.  Scroll almost
to the end and then go back a few screens until you find the regex line and
change 'snort:' to be 'snort?*:'

More info on regexes as applies to our log parsers is at
http://www.dshield.org/regex.html

I made the changed version live at http://www.dshield.org/framework.html

Wayne Larmon
wlarmon at dshield.org





More information about the list mailing list