[Snort-devel] port scan preprocessor logging format

Mathew Johnston mjohnston at ...1001...
Wed Jan 16 07:15:08 EST 2002


Right now, the port scan preprocessor logs in a format that is not
terribly easy to process from a script. Has anyone else expressed
dis-satisfaction with the format?

Is it possible to wait until a portscan is finished before writing to
the portscan log? That way, the log could be easily parsed... for
example:

TIMESTAMP START Portscan From SOURCE_IP
TIMESTAMP SS.SS.SS.SS:P -> TT.TT.TT.TT:P SYNFIN ******SF
TIMESTAMP SS.SS.SS.SS:P -> TT.TT.TT.TT:P SYNFIN ******SF
TIMESTAMP SS.SS.SS.SS:P -> TT.TT.TT.TT:P SYN ******S*
TIMESTAMP SS.SS.SS.SS:P -> TT.TT.TT.TT:P UDP
TIMESTAMP END Portscan From SOURCE_IP time(4s) hosts(1) TCP(3) UDP(1)

The format of each log line, was
TIMESTAMP MSGTYPE SOURCEIP:SOURCEPORT -> TARGETIP:TARGETPORT TYPE
TCPFLAGS
where TYPE is definition of the kind of scan - for example, there's more
than one kind of stealth scan; we don't need to say 'STEALTH' for each
one; it is implied by the TYPE


This allows for easy parsing by a script. Scripts need to be able to use
these files for reporting, for escalating portscan data to a network
security management system, etc.

Is this reasonable? Thanks :)

Mathew Johnston






More information about the Snort-devel mailing list