snort log

["abhijat kumar" <abhijat () operamail com>]

I am using "snort-2.1.2" and developing some 
snort log converter to some other IDS format.

I am using regular expression to read different attributes out of snort alert file and want to write on the desired 
format by mapping to those fields in required sequence.

Problem with me is the snort alert log is not obeying a fixed format. Sometimes some filds are duplicated or some time 
some fields are chopped off. This is fooling my reader to trap the right fields.

eg:

[**] [1:255:8] DNS zone transfer TCP [**]
[Classification: Attempted Information Leak] [Priority: 2]
01/30-14:17:29.361261 10.53.1.2:32771 -> 10.54.1.2:53
TCP TTL:3 TOS:0x0 ID:22132 IpLen:20 DgmLen:90
***AP*** Seq: 0xD91E1232  Ack: 0x3623AA63  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 17475 0
[Xref => http://www.whitehats.com/info/IDS212][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0532]

[**] [1:323:4] FINGER root query [**]
[Classification: Attempted Information Leak] [Priority: 2]
01/30-14:15:51.805430 10.53.1.2:3884 -> 10.54.1.2:79
TCP TTL:3 TOS:0x0 ID:48701 IpLen:20 DgmLen:46
***AP*** Seq: 0x680D8545  Ack: 0x13F44B9C  Win: 0x14F0  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS376]

[**] [105:1:1] spp_bo: Back Orifice Traffic detected (key: 2160) [**]
01/30-14:19:02.377190 10.53.1.2:1034 -> 10.54.1.2:31337
UDP TTL:3 TOS:0x0 ID:60672 IpLen:20 DgmLen:49
Len: 21

[**] [1:522:1] MISC Tiny Fragments [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
01/30-14:19:02.377229 10.53.1.2 -> 10.54.1.2
UDP TTL:3 TOS:0x0 ID:60672 IpLen:20 DgmLen:28 MF
Frag Offset: 0x0000   Frag Size: 0x0008


[**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**] 12/22-19:15:51.819914 192.168.36.70:33034 -> 
192.168.4.62:80 TCP TTL:63 TOS:0x0 ID:40674 IpLen:20 DgmLen:132 DF
***AP*** Seq: 0xF6A2D5DF  Ack: 0xF662E276  Win: 0x16D0  TcpLen: 32 TCP Options (3) => NOP NOP TS: 150922 235799904


So you can see the alert fields are out of sequence.
Note also there can be some duplicated fields (same field repeated).

I want to know "why the logs are not in same fashion or sequence" ? Is it problem on my end or this is has some other 
story. Please guide me out how to trap these fields coherently.

Regards,

Abhijat
-- 
_____________________________________________________________
Web-based SMS services available at http://www.operamail.com.
From your mailbox to local or overseas cell phones.

Powered by Outblaze


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users