[Snort-devel] port scan preprocessor logging format

Hutchinson, Andrew Andrew.Hutchinson at ...1084...
Wed Jan 16 12:45:04 EST 2002


I haven't found the portscan logs difficult to process - I have a Perl script that looks through the logs and flags scans that look particularly interesting, and sends a "boiled down" report of those things which interest me.  IMHO (as an end user), I believe that providing end users with more abstracted and raw data is better than providing them with something pre-processed into a more restrictive format.

Additionally, the danger in writing to the portscan log _after_ the portscan has taken place rears it's head when somebody runs a drawn-out-full-blown-scan of your network (in my case a Class B address space), which may take several hours.  I want to know about this _right when_ it is taking place, and not after the deed is done.  I can look in my SQL server or snort's alert file for spp_portscan flags after the fact.  But while it's taking place, I expect to find the initial indicators in portscan.log in realtime.

There are a couple of possible options: you can port-process portscan.log (which is what I do, using Perl) for "after-the-fact" reporting purposes, OR you could tail -f portscan.log into a handle in Perl (or whatever else you might use) and process it in realtime, or use the spp_portscan alerts in the alert file.  But as far as changing the portscan.log format, my worthless vote would be "no."

Plus, if the output format changes dramatically, all of my stuff would break and I'd have to re-write it.  And I'm lazy.  :-)

Andrew Hutchinson CNE MCSE
Informatics/NCS/Network Security
Vanderbilt University Medical Center
615.936.2856 - voice
615.936.0643 - fax
andrew.hutchinson at ...1082...


-----Original Message-----
From: Mathew Johnston [mailto:mjohnston at ...1001...]
Sent: Wednesday, January 16, 2002 9:13 AM
To: snort-devel at lists.sourceforge.net
Subject: [Snort-devel] port scan preprocessor logging format


Right now, the port scan preprocessor logs in a format that is not
terribly easy to process from a script. Has anyone else expressed
dis-satisfaction with the format?

Is it possible to wait until a portscan is finished before writing to
the portscan log? That way, the log could be easily parsed... for
example:

TIMESTAMP START Portscan From SOURCE_IP
TIMESTAMP SS.SS.SS.SS:P -> TT.TT.TT.TT:P SYNFIN ******SF
TIMESTAMP SS.SS.SS.SS:P -> TT.TT.TT.TT:P SYNFIN ******SF
TIMESTAMP SS.SS.SS.SS:P -> TT.TT.TT.TT:P SYN ******S*
TIMESTAMP SS.SS.SS.SS:P -> TT.TT.TT.TT:P UDP
TIMESTAMP END Portscan From SOURCE_IP time(4s) hosts(1) TCP(3) UDP(1)

The format of each log line, was
TIMESTAMP MSGTYPE SOURCEIP:SOURCEPORT -> TARGETIP:TARGETPORT TYPE
TCPFLAGS
where TYPE is definition of the kind of scan - for example, there's more
than one kind of stealth scan; we don't need to say 'STEALTH' for each
one; it is implied by the TYPE


This allows for easy parsing by a script. Scripts need to be able to use
these files for reporting, for escalating portscan data to a network
security management system, etc.

Is this reasonable? Thanks :)

Mathew Johnston



_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel




More information about the Snort-devel mailing list