[Dshield] snort perl script

Wayne Larmon wlarmon at dshield.org
Tue Oct 1 15:30:56 GMT 2002


> I'm trying to get the snort 1.8 perl script (snort_18_syslog.pl)
> to work on
> my /var/log/snort/alert file (generated with -A full).  It runs fine, but
> all I get are failures:
>
> Failed non-ICMP parse
>
> We get a TON of scans in the alert file every day, and I find it hard to
> believe that they are all failing.  I've looked at the script, but I don't
> know how to program Perl.  Some of it is obvious, but I'm not sure why it
> fails on every single log entry.  I'm running snort 1.8.7.  Any helpful
> suggestions?

The way that most of the framework scripts convert is by using a regular
expression to match the various parts of the original log line.  Some of the
converters have several regular expressions--it tries all of them and
rejects a log line if it doesn't match any of them.  It looks like you have
valid log lines that don't match any of the regular expressions that are in
the snort_18_syslog.pl script.

So, send me some of these snort log lines that should be converted off list
and I'll update the regular expressions snort conversion routines.

Wayne Larmon
wlarmon at dshield.org
DShield.org





More information about the list mailing list