Snort mailing list archives
perl pattern match on guardian no good....
From: "Nick Daum -- US CEO -- Novanix, LLC." <ceo () novanix com>
Date: Sat, 8 Dec 2001 18:53:41 -0500
This has to deal with the add-on guardian for snort. I installed a rpm'ed version of snort and guardian doesn't read the log file correctly. Here is a sample entry in the log file: Dec 8 17:16:01 server1 snort: [1:1328:1] WEB-ATTACKS ps command attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 66.20.28.125:12252 -> 216.40.233.21:80 here are the checks in the program it only has to pass one these so I just need to know what modifications need to be made, these are just samples of how it was originally to be split to help understand error: ($2 is the source, $3 is the dest and $1 is the type) if (/snort:\s*(.*)\s*\:\s*(\d+\.\d+\.\d+\.\d+):\d+\s*->\s*(\d+\.\d+\.\d+\.\ d+):\d+$/) { &checkem ($2, $3, $1); } if (/snort\[\d+\]:\s*(.*)\s*\:\s*(\d+\.\d+\.\d+\.\d+):\d+\s*->\s*(\d+\.\d+\ .\d+\.\d+):\d+$/) { &checkem ($2, $3, $1); } Thank You For Your Time, Nick Daum US CEO Novanix, LLC. http://www.Novanix.com This message was sent using a Digital Certificate to verify the sender. If you have an attachment with a .p7s exstention that means your email client does not support digital signatures and you should ignore it. This message was also set with a vCard Attachment (ending in .vcf) if your email client supports it you can import this into your Address Book. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- perl pattern match on guardian no good.... Nick Daum -- US CEO -- Novanix, LLC. (Dec 08)