[Dshield] the dshield snort programs

Wayne Larmon wlarmon at dshield.org
Thu Aug 22 15:57:09 GMT 2002


Argh.  The fix was wrong.  I was doing too much switching between different
things this morning and didn't test it like I thought I did before posting.

It should be '.*' instead of '?*'  '?*' is invalid and will cause Perl to
fail with an error message because '?' and '*' are both modifiers. You
aren't supposed to have two modifiers together.

'.' means match a single character.  '*' means that it is a modifier that
matches zero or more of the preceding character (or character class.)

So the line should be

if ($line=~/^([A-Z][a-z]{2}) +(\d{1,2})
(\d{2}):(\d{2}):(\d{2}).*snort.*:.*\{([A-Z]+)\} ([0-9.]*):(\d+) ->
([0-9.]*):(\d+)$/) {

where 'snort.*:' is the clause we are fixing.

Wayne Larmon
wlarmon at dshield.org

> > I am curious,
> >
> > I'm using snort with a bunch of the supplied rules, but when
> > using the test wrapper I get:
> >
> > -------------------------------Processing line
> > 2-------------------------------
> > PARSING: Aug 15 00:33:07 nexus snort[3673]: [1:1256:3] WEB-IIS
> CodeRed v2
> > root.exe access [Classification: Web Application Attack] [Priority: 1]:
> > {TCP} 213.84.89.211:2117 -> 213.84.207.11:80
> > SKIPPING: Failed non-ICMP parse
> >
> > Am I missing a prerequisite not documented somewhere (or documented
> > and not noticed)?
>
> The regular expression that parses the log line was overly
> restrictive.  The
> line in question is
>
> if ($line=~/^([A-Z][a-z]{2}) +(\d{1,2})
> (\d{2}):(\d{2}):(\d{2}).*snort:.*\{([A-Z]+)\} ([0-9.]*):(\d+) ->
> ([0-9.]*):(\d+)$/)
>
> 'snort:' is the portion that was causing the problem.  It failed because
> your log lines have 'snort[3673]:'  The log samples we used before had
> 'snort:'  So the regexs needs to skip over zero or more characters between
> the 't' in 'snort' and the ':"  '?*' does this, so I changed it to be
> 'snort?*:, so that now the regex is
>
> if ($line=~/^([A-Z][a-z]{2}) +(\d{1,2})
> (\d{2}):(\d{2}):(\d{2}).*snort?*:.*\{([A-Z]+)\} ([0-9.]*):(\d+) ->
> ([0-9.]*):(\d+)$/)
>
> You can make this change in your copy of snort_18_syslog.pl.
> Scroll almost
> to the end and then go back a few screens until you find the
> regex line and
> change 'snort:' to be 'snort?*:'
>
> More info on regexes as applies to our log parsers is at
> http://www.dshield.org/regex.html
>
> I made the changed version live at http://www.dshield.org/framework.html
>
> Wayne Larmon
> wlarmon at dshield.org
>
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list