Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A Working Logsurfer Example for Snort 2.0

From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Sat, 24 May 2003 01:37:01 +0200

Welldone, Matt!

I may use it but for now I am only looking for priority 1 events and
problems like lost connection to the DB or crashes. Maybe I can send you
that ones tomorow, if you wish.

Logsurfer is a pretty cool thing. For more on regular expressions I
can recommend the O'Reilly book Mastering Regular Expressions. If you
want to learn how to write good (=fast) regex take a look, it's a great
book and really a not boring one.

However, I've noticed a strange thing with logsurfer. With big rule
files (> 200 lines) it may crash for some reason. I have one such file
for my /var/log/messages, writing many comments, in order to remember
later, what I have done. I used to use many empty lines in between the
rules too. After the file reached 250 lines logsurfer crashed again and
again, with a strange error message. Instead of empty lines I put '#'
and logsurfer was doing fine, then.

Just in case...

Best regards,

Edin



Matt Howell wrote:

All...

A few weeks ago, I posted a message asking if anyone had a set of
logsurfer rules that worked with Snort 2.0 that was worth sharing. After failing to receive a response from anyone, I am posting the rules that I came up with in the hopes that it might be helpful for others. By no means are these officially endorsed by the Snort project or 
logsurfer, but instead its just one example of what someone is actually
using in production.  I am fairly green to logsurger / regex, so there
may be better ways to handle some of these events.  I tried to include
somewhat logical comments, as well.  If you find something that works
better for you, please let me know because I would like to improve on
this over time.

-Matt Howell
mhowell () cybarworks com
[...]


--
Edin Dizdarevic



-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: