Snort mailing list archives

Re: Process Snort alerts on real time

From: Marcin Dulak <marcin.dulak () gmail com>
Date: Wed, 22 Feb 2017 16:03:18 +0100

On Wed, Feb 22, 2017 at 1:22 PM, Nora Aron <valeparatodo () gmail com> wrote:

*http://seclists.org/snort/2017/q1/11

<http://seclists.org/snort/2017/q1/11>*



Thanks Marcin,
Yes, that is great for static logs. But unfortunately my problem is not
the same than in that thread, unless there is something that I
misunderstood.
I also could obtain the content of the packet in hexadecimal from
u2Spewfoo ( after parsing it ).
But, u2Spewfoo is only for static logs as well. So I am trying to use the
SpoolEventReader from ids-tools that provides you real time events,
already converted to a readable format. The problem is that this tools
provide the packet info in some kind of binary raw that I don't know how to
process.
I add an extract as an example
*\x00!\xd7j\xe4\x00RT\x00\xfc\xa9\xf6*


are you getting "Failed to encode record as JSON: __init__() got an
unexpected keyword argument 'encoding'"?
i think this is due to https://github.com/jasonish/py-idstools/issues/36
Fetch the latest python-idstools or just remove , encoding="latin-1" from
the highlighted line from
/usr/lib/python2.7/site-packages/idstools/scripts/u2eve.py (or where it
lives on your distribution):
https://github.com/jasonish/py-idstools/blob/5862a936af07b37458b1fc3719f9ade065b283f1/idstools/scripts/u2eve.py#L302


Marcin


I could use both u2spewfoo or the combination of tools you proposed if I
had the event in unified2 from SpoolEventReader, but this is not the case.

Thanks

------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Process Snort alerts on real time Nora Aron (Feb 20)
- Re: Process Snort alerts on real time wkitty42 (Feb 20)
  - Re: Process Snort alerts on real time Ana Serrano Mamolar (Feb 21)
    - Re: Process Snort alerts on real time wkitty42 (Feb 21)
- <Possible follow-ups>
- Process Snort alerts on real time Nora Aron (Feb 21)
  - Re: Process Snort alerts on real time Giles Coochey (Feb 21)
  - Re: Process Snort alerts on real time Marcin Dulak (Feb 21)
- Process Snort alerts on real time Nora Aron (Feb 21)
- Process Snort alerts on real time Nora Aron (Feb 22)
  - Re: Process Snort alerts on real time James Lay (Feb 22)
  - Re: Process Snort alerts on real time Marcin Dulak (Feb 22)
    - Re: Process Snort alerts on real time Nora Aron (Feb 22)
    - Re: Process Snort alerts on real time Marcin Dulak (Feb 22)