[Dshield] Snort log processing...

Johannes B. Ullrich jullrich at sans.org
Wed Jan 7 13:12:11 GMT 2004


The snort client reads the alert file. It uses the Unix perl "framework"
client and may require some tweaking as the log format has changed over
time.

If you submit snort logs, make sure you apply some filters to avoid
submitting false positives. We had a few people install
snort with default rules and submit logs based on that. This
is usually not a good idea.

For the PIX: The Unix perl client should support this. It will read from
the file written by syslog (/var/log/messages or wherever you put the
PIX messages).


On Wed, 2004-01-07 at 01:46, Jeff Kell wrote:
> Snort is mentioned in the clients, but no details.  Does it process the 
> snort/alerts logfile?  does it want unified logfile format?  will it 
> read SQL?  I'm dazed and confused :-)
> 
> My tarpits are submitting fine.  Now looking into PIX and Snort logging
> submissions.  The PIX logger is windows-based but our PIX syslog is a 
> unix box...
> 
> Jeff
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040107/0e2e111b/attachment.bin


More information about the list mailing list