Snort mailing list archives
Re: A Working Logsurfer Example for Snort 2.0
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Sat, 24 May 2003 01:37:01 +0200
Welldone, Matt! I may use it but for now I am only looking for priority 1 events and problems like lost connection to the DB or crashes. Maybe I can send you that ones tomorow, if you wish. Logsurfer is a pretty cool thing. For more on regular expressions I can recommend the O'Reilly book Mastering Regular Expressions. If you want to learn how to write good (=fast) regex take a look, it's a great book and really a not boring one. However, I've noticed a strange thing with logsurfer. With big rule files (> 200 lines) it may crash for some reason. I have one such file for my /var/log/messages, writing many comments, in order to remember later, what I have done. I used to use many empty lines in between the rules too. After the file reached 250 lines logsurfer crashed again and again, with a strange error message. Instead of empty lines I put '#' and logsurfer was doing fine, then. Just in case... Best regards, Edin Matt Howell wrote:
All... A few weeks ago, I posted a message asking if anyone had a set oflogsurfer rules that worked with Snort 2.0 that was worth sharing. After failing to receive a response from anyone, I am posting the rules that I came up with in the hopes that it might be helpful for others. By no means are these officially endorsed by the Snort project orlogsurfer, but instead its just one example of what someone is actually using in production. I am fairly green to logsurger / regex, so there may be better ways to handle some of these events. I tried to include somewhat logical comments, as well. If you find something that works better for you, please let me know because I would like to improve on this over time. -Matt Howell mhowell () cybarworks com [...]
-- Edin Dizdarevic ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- A Working Logsurfer Example for Snort 2.0 Matt Howell (May 23)
- Re: A Working Logsurfer Example for Snort 2.0 Edin Dizdarevic (May 23)