Honeypots mailing list archives
snort2syslog v0.1 released (fwd)
From: Valter Santos <vsantola () devfusion net>
Date: 06 Mar 2003 04:01:08 +0000
Hi, I think that this could also be useful for people on this list. cheers, /valter -----Forwarded Message-----
From: Valter Santos <vsantola () devfusion net> To: cookerpot () linsec ca Subject: snort2syslog v0.1 released Date: 06 Mar 2003 03:55:37 +0000 Greetings, I wrote a perl script to convert snort logs into syslog formated ones, when snort is used as stealthfull logging agent. For those of you who are uncomfortable with this technique please check the references at the bottom of this message. The script can be downloaded from: http://devfusion.net/~vsantola/packages/snort2syslog/snort2syslog-0.1.tar.gz [md5sum: ba309886f8851d6c6ed9bd3cc5c6a4f4 snort2syslog-0.1.tar.gz] Some notes from the README file: Regarding the snort file format supported by snort2syslog, it's expected that the input file format is like the one dumped by the following snort configuration when snort is used as stealthfull logging agent: # start snort config #### var EXTERNAL_NET any config dump_payload config dump_chars_only config logdir: /var/log/snort preprocessor frag2 log udp 192.168.5.0/24 any -> 192.168.5.11/32 514 (logto:"logged-packets";) # end snort config #### This sample snort configuration will produce the following output when snort catch something in the wire: # start sample snort log # (with appended line numbers to the start of each line) 1 2 03/03-11:49:57.530965 192.168.1.10:514 -> 192.168.1.11:514 3 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:87 DF 4 Len: 67 5 <78>CROND[19875]: (root) CMD ( /usr/sbin/monitoring.pl) . 6 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ # end sample snort log snort2syslog will convert the above snort log to syslog format: # start sample syslog log Mar 03 11:49:57 ares CROND[19875]: (root) CMD ( /usr/sbin/monitoring.pl) # end sample syslog log If you need some feature that is not covered by the current release, please be free to contact me (oh! and remember that this is version 0.1) cheers, /valter REFERENCES: [1] Mick Bauer's article on Stealthfull Logging http://www.linuxjournal.com/article.php?sid=6222 [2] The configuration of my own cookerpot that is using this technique http://devfusion.net/~vsantola/papers/cookerpot.html
-- ---..---..---..---..---..---..---..---..---..---..---..---..---- Valter Santos vsantola () devfusion net ||| http://devfusion.net/~vsantola/keys/ (@ @) ------------------------------------------oOO--(_)--OOo---------
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- snort2syslog v0.1 released (fwd) Valter Santos (Mar 07)