Snort mailing list archives
snort log
From: "abhijat kumar" <abhijat () operamail com>
Date: Tue, 01 Feb 2005 14:46:49 +0100
I am using "snort-2.1.2" and developing some snort log converter to some other IDS format. I am using regular expression to read different attributes out of snort alert file and want to write on the desired format by mapping to those fields in required sequence. Problem with me is the snort alert log is not obeying a fixed format. Sometimes some filds are duplicated or some time some fields are chopped off. This is fooling my reader to trap the right fields. eg: [**] [1:255:8] DNS zone transfer TCP [**] [Classification: Attempted Information Leak] [Priority: 2] 01/30-14:17:29.361261 10.53.1.2:32771 -> 10.54.1.2:53 TCP TTL:3 TOS:0x0 ID:22132 IpLen:20 DgmLen:90 ***AP*** Seq: 0xD91E1232 Ack: 0x3623AA63 Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 17475 0 [Xref => http://www.whitehats.com/info/IDS212][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0532] [**] [1:323:4] FINGER root query [**] [Classification: Attempted Information Leak] [Priority: 2] 01/30-14:15:51.805430 10.53.1.2:3884 -> 10.54.1.2:79 TCP TTL:3 TOS:0x0 ID:48701 IpLen:20 DgmLen:46 ***AP*** Seq: 0x680D8545 Ack: 0x13F44B9C Win: 0x14F0 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS376] [**] [105:1:1] spp_bo: Back Orifice Traffic detected (key: 2160) [**] 01/30-14:19:02.377190 10.53.1.2:1034 -> 10.54.1.2:31337 UDP TTL:3 TOS:0x0 ID:60672 IpLen:20 DgmLen:49 Len: 21 [**] [1:522:1] MISC Tiny Fragments [**] [Classification: Potentially Bad Traffic] [Priority: 2] 01/30-14:19:02.377229 10.53.1.2 -> 10.54.1.2 UDP TTL:3 TOS:0x0 ID:60672 IpLen:20 DgmLen:28 MF Frag Offset: 0x0000 Frag Size: 0x0008 [**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**] 12/22-19:15:51.819914 192.168.36.70:33034 -> 192.168.4.62:80 TCP TTL:63 TOS:0x0 ID:40674 IpLen:20 DgmLen:132 DF ***AP*** Seq: 0xF6A2D5DF Ack: 0xF662E276 Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 150922 235799904 So you can see the alert fields are out of sequence. Note also there can be some duplicated fields (same field repeated). I want to know "why the logs are not in same fashion or sequence" ? Is it problem on my end or this is has some other story. Please guide me out how to trap these fields coherently. Regards, Abhijat -- _____________________________________________________________ Web-based SMS services available at http://www.operamail.com. From your mailbox to local or overseas cell phones. Powered by Outblaze ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort log abhijat kumar (Feb 02)