[Dshield] Snort log processing...
Johannes B. Ullrich
jullrich at sans.org
Wed Jan 7 13:12:11 GMT 2004
The snort client reads the alert file. It uses the Unix perl "framework"
client and may require some tweaking as the log format has changed over
If you submit snort logs, make sure you apply some filters to avoid
submitting false positives. We had a few people install
snort with default rules and submit logs based on that. This
is usually not a good idea.
For the PIX: The Unix perl client should support this. It will read from
the file written by syslog (/var/log/messages or wherever you put the
On Wed, 2004-01-07 at 01:46, Jeff Kell wrote:
> Snort is mentioned in the clients, but no details. Does it process the
> snort/alerts logfile? does it want unified logfile format? will it
> read SQL? I'm dazed and confused :-)
> My tarpits are submitting fine. Now looking into PIX and Snort logging
> submissions. The PIX logger is windows-based but our PIX syslog is a
> unix box...
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 837 2807 jullrich at sans.org
contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040107/0e2e111b/attachment.bin
More information about the list