Snort mailing list archives

Previous By Date Next
Previous By Thread Next

re: snort_stat.pl version 1.15.2.3 parsing problem

From: Andy Bach <root () wiwb uscourts gov>
Date: Thu, 9 Aug 2001 12:25:34 -0500
I'm using Snort 1.8 beta5. Limited debugging makes me conclude that
following lines are not concidered to be in syslog format...
---------
Aug  8 09:20:46 localhost snort: [1:729:1] Virus - Possible scr Worm {TCP}
1.2.3.4:110 -> 5.6.7.8:64359
Aug  8 11:35:39 localhost snort: [1:729:1] Virus - Possible scr Worm {TCP}
1.2.3.4:110 -> 5.6.7.8:61962
Aug  8 13:46:52 localhost snort: [1:499:1] MISC Large ICMP Packet
[Classification: Potentially Bad Traffic] [Priority: 2]: {ICMP} 1.2.3.4 ->
5.6.7.8
Aug  8 15:27:11 localhost snort: [1:257:1] DNS named version attempt
[Classification: Attempted Information Leak] [Priority: 3]: {UDP}
1.2.3.4:2336 -> 5.6.7.8:53
----------
  # This is syslog format
  if ($_ =~ m/^(\w{3}) \s+ (\d+) \s (\d+) \: (\d+) \: (\d+)\s

                  Aug         8         15   :  27       11

      ([\w+\.]*)\s[\w+\/\[\d+\]]*:\s ([^\[^\:]+?)

         localhost   snort:             .......
This appears to be where it goes awry, the RE expects:
  ... snort[14491]:
not
  ... snort: [1:449:1]

      (?:\[Classification:([^\]]*?)\s* Priority:\s(\d+)\]|):\s([\d\.]+)[\:]?
      ([\d]*)\s[\-\>]+\s ([\d\.]+)[\:]? ([\d]*)/ox) {


Couple of other uncertainties, so I got:
if ($huh =~ m/^(\w{3}) \s+ (\d+) \s (\d+) \: (\d+) \: (\d+)\s
    ([\w+\.]*)\s(?:\w+:?\s+[\]\[\d:]*:?)\s ([^[]+?)\s
    (?:\[Classification:([^]]*?\])\s+ \[Priority:\s(\d+)\]):\s (?:\{\w+}\s)?
    ([\d\.]+)[\:]?([\d]*)\s->\s ([\d\.]+)[\:]? ([\d]*)/ox) {

a

Andy Bach, Sys. Mangler             
Internet: andy () wiwb uscourts gov    VOICE: (608) 264-5178 ex 5738, FAX 264-510

            So, the Buddha walks into a pizza parlor and says,
                  "Make me one with everything."


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: