Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

snort2syslog v0.1 released (fwd)

From: Valter Santos <vsantola () devfusion net>
Date: 06 Mar 2003 04:01:08 +0000
Hi,

I think that this could also be useful for people on this list.

cheers,
/valter

-----Forwarded Message-----


From: Valter Santos <vsantola () devfusion net>
To: cookerpot () linsec ca
Subject: snort2syslog v0.1 released
Date: 06 Mar 2003 03:55:37 +0000

Greetings,

I wrote a perl script to convert snort logs into syslog formated ones,
when snort is used as stealthfull logging agent. For those of you who
are uncomfortable with this technique please check the references at the
bottom of this message.

The script can be downloaded from:
http://devfusion.net/~vsantola/packages/snort2syslog/snort2syslog-0.1.tar.gz

[md5sum: ba309886f8851d6c6ed9bd3cc5c6a4f4  snort2syslog-0.1.tar.gz]


Some notes from the README file:

Regarding the snort file format supported by snort2syslog, it's expected
that the input file format is like the one dumped by the following snort
configuration when snort is used as stealthfull logging agent:

# start snort config ####

var EXTERNAL_NET any
config dump_payload
config dump_chars_only
config logdir: /var/log/snort
preprocessor frag2

log udp 192.168.5.0/24 any -> 192.168.5.11/32 514
(logto:"logged-packets";)

# end snort config ####

This sample snort configuration will produce the following output when
snort catch something in the wire:

# start sample snort log
# (with appended line numbers to the start of each line)

 1
 2  03/03-11:49:57.530965 192.168.1.10:514 -> 192.168.1.11:514
 3  UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:87 DF
 4  Len: 67
 5  <78>CROND[19875]: (root) CMD (   /usr/sbin/monitoring.pl) .
 6  =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

# end sample snort log

snort2syslog will convert the above snort log to syslog format:

# start sample syslog log

Mar 03 11:49:57 ares CROND[19875]: (root) CMD ( /usr/sbin/monitoring.pl)

# end sample syslog log


If you need some feature that is not covered by the current release,
please be free to contact me (oh! and remember that this is version 0.1)

cheers,
/valter


REFERENCES:

 [1] Mick Bauer's article on Stealthfull Logging
     http://www.linuxjournal.com/article.php?sid=6222

 [2] The configuration of my own cookerpot that is using this technique
     http://devfusion.net/~vsantola/papers/cookerpot.html





-- 

---..---..---..---..---..---..---..---..---..---..---..---..----
Valter Santos

vsantola () devfusion net                         |||
http://devfusion.net/~vsantola/keys/          (@ @)                 
------------------------------------------oOO--(_)--OOo---------

Attachment: signature.asc
Description: This is a digitally signed message part

Previous By Date Next
Previous By Thread Next

Current thread: