Snort mailing list archives
Re: upgraded some tools (snortplot)
From: Angelos Karageorgiou <angelos () iqs gr>
Date: Mon, 29 Oct 2001 11:37:28 +0200
Brian wrote:
According to Angelos Karageorgiou:Well the syslog version is really tough to apply a regex onto it to normalize the output, Expect that some of the scripts will be broken It is not so much a snort problem more like a problem of the people who write the rules, they do not have a consistent logging scheme for the errors they display. So sometimes you have warings in square brackets other times two warnings in square brackets etc.What do you mean? Can you give some examples? If it isn't done in a standard way, it can probably be changed.
OK I will try to find some examples , all these appear in my syslog: first of all ============= Oct 22 08:48:19 cat snort[1050]: [1:485:1] ICMP Destination Unreachable (Communication Administratively Prohibited) {ICMP} 193.92.130.201 -> 193.92.44.194 Oct 22 09:27:14 cat snort[1050]: [1:499:1] MISC Large ICMP Packet [Classification: Potentially Bad Traffic] [Priority: 2]: {ICMP} 205.160.52.52 -> 193.92.44.194 Oct 22 12:46:02 cat snort[1050]: [1:480:1] ICMP PING speedera {ICMP} 63.251.167.2 -> 193.92.44.194 ============= IN the two above lines , both for ICMP traffic, one uses parentheses and one uses square brackets, and the third line has neither parens nor quotes. This I consider inconsistent, But I would like to hear your opinion. It forces me, and some other people I gues to write a lot of cruft to get the data needed to process the logs. ====================================================== Oct 22 12:11:14 cat snort[1050]: [1:160:1] BACKDOOR NetMetro Incoming Traffic {TCP} 212.205.66.197:5031 -> 193.92.44.194:1420 Oct 22 12:11:34 cat snort[1050]: [1:1227:1] X11 outgoing [Classification: Unknown Traffic] [Priority: 1]: {TCP} 212.205.66.197:6000 -> 193.92.44.194:3417 ================= In the first line above there is NO classification within square brackets. Most other logging is done with the form [Classification: xxxxxxx] [Priority?: x]: This again is inconsistent. I do not mean to belittle anybody's work here, I am just saying that maybe we need a rule creation metaengine, probably based on M4 or some macro language which will generate the rules. Remember what sendmail was forced to do when manually mangling .cf files got out of hand ? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- upgraded some tools (snortplot) Angelos Karageorgiou (Oct 25)
- Re: upgraded some tools (snortplot) Martin Roesch (Oct 25)
- Re: upgraded some tools (snortplot) Angelos Karageorgiou (Oct 25)
- Re: upgraded some tools (snortplot) Brian (Oct 28)
- Re: upgraded some tools (snortplot) Angelos Karageorgiou (Oct 29)
- Re: upgraded some tools (snortplot) Brian (Oct 29)
- Re: upgraded some tools (snortplot) Martin Roesch (Oct 29)
- Re: upgraded some tools (snortplot) Brian (Oct 29)
- Re: upgraded some tools (snortplot) Angelos Karageorgiou (Oct 30)
- Re: upgraded some tools (snortplot) Angelos Karageorgiou (Oct 25)
- Re: upgraded some tools (snortplot) Martin Roesch (Oct 25)