Snort mailing list archives

Re: upgraded some tools (snortplot)

From: Angelos Karageorgiou <angelos () iqs gr>
Date: Mon, 29 Oct 2001 11:37:28 +0200

Brian wrote:


According to Angelos Karageorgiou:

Well the syslog version is really tough to apply a regex onto it
to normalize the output, Expect that some of the scripts will be broken

It is not so much a snort problem more like a problem of the people who
write the rules, they do not have a consistent logging scheme for the
errors they display. So sometimes you have warings in square brackets
other times two warnings in square brackets etc.


What do you mean?  Can you give some examples?  If it isn't done in a
standard way, it can probably be changed.


OK I will try to find some examples , all these appear in my syslog:

first of all 

=============
Oct 22 08:48:19 cat snort[1050]: [1:485:1] ICMP Destination Unreachable
(Communication Administratively Prohibited) {ICMP} 193.92.130.201 ->
193.92.44.194

Oct 22 09:27:14 cat snort[1050]: [1:499:1] MISC Large ICMP Packet
[Classification: Potentially Bad Traffic] [Priority: 2]: {ICMP} 205.160.52.52
-> 193.92.44.194

Oct 22 12:46:02 cat snort[1050]: [1:480:1] ICMP PING speedera {ICMP}
63.251.167.2 -> 193.92.44.194

=============

IN the two above lines , both for ICMP traffic, one uses parentheses and one
uses square brackets,
and the third line has neither parens nor quotes.

This I consider inconsistent, But I would like to hear your opinion.

It forces me, and some other people I gues to write a lot of cruft to get the
data needed to process
the logs.

======================================================
Oct 22 12:11:14 cat snort[1050]: [1:160:1] BACKDOOR NetMetro Incoming Traffic
{TCP} 212.205.66.197:5031 -> 193.92.44.194:1420

Oct 22 12:11:34 cat snort[1050]: [1:1227:1] X11 outgoing [Classification:
Unknown Traffic] [Priority: 1]: {TCP} 212.205.66.197:6000 ->
193.92.44.194:3417

=================

In the first line above there is NO classification within square brackets.
Most other logging is
done with the form [Classification: xxxxxxx] [Priority?: x]: 

This again is inconsistent.

I do not mean to belittle anybody's work here, I am just saying that maybe we
need
a rule creation metaengine, probably based on M4 or some macro language which
will
generate the rules.

Remember what sendmail was forced to do when manually mangling .cf files got
out of hand ?

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

upgraded some tools (snortplot) Angelos Karageorgiou (Oct 25)
- Re: upgraded some tools (snortplot) Martin Roesch (Oct 25)
  - Re: upgraded some tools (snortplot) Angelos Karageorgiou (Oct 25)
    - Re: upgraded some tools (snortplot) Brian (Oct 28)
    - Re: upgraded some tools (snortplot) Angelos Karageorgiou (Oct 29)
    - Re: upgraded some tools (snortplot) Brian (Oct 29)
    - Re: upgraded some tools (snortplot) Martin Roesch (Oct 29)
    - Re: upgraded some tools (snortplot) Brian (Oct 29)
    - Re: upgraded some tools (snortplot) Angelos Karageorgiou (Oct 30)