[Snort-sigs] RE: Snort-sigs digest, Vol 1 #55 - 1 msg

Nelson, James (CC-MIS Plans and Prog) James.Nelson at ...74...
Mon Aug 20 17:57:29 EDT 2001


I have seen the exact same problem.  For example, when Snort is logging to
an NT or 2000 event log, the csv dumps can't easily be imported into a
database or a spreadsheet for analysis because the columns/fields are all
over the place.  Systems that do log to a syslog server are a problem to
analyze because the columns/fields are all over the place there too.  Some
systems don't have a syslog server near them so reporting to a syslogd does
not make sense.  Scripts to rewrite/pad/etc helps solve the problem but it
is painful.

This is of a lesser priority, but the Snort win32 events going to an NT or
2000 event log are not really formatted to the logging standards for NT or
2000 so you can't filter them easily with the event viewer (not that too
many people would really want to put themselves through that or a regular
basis)  The place this becomes important is if someone would want to
prioritize events and do something when an event occurs based on priority--
take an action inside of Sentry or BMC for example.  It is also important if
someone want to use something like win32 perl to poll the events like some
do to report system stop events to their administrators every morning, etc.


2 points of feedback:

1)  have logging format "standard enough" so importing and reduction tools
can make sense of it easily and data common to like-type data will end up in
the same column/field in a data import without padding the data before-hand.

2)  find a way to allow those who are porting Snort for Unix over to Win32
to be able to easily massage the logging formats such that the logs make
great sense native to syslog and also NT logging formats.  

Both Win32 and Unix Snort engines have value.  The greatest value is
achieved when people can leverage both at the same time after they have
collected their data and they are ready to generate reports.

James


-----Original Message-----
From: snort-sigs-request at lists.sourceforge.net
[mailto:snort-sigs-request at lists.sourceforge.net]
Sent: Monday, August 20, 2001 2:09 PM
To: snort-sigs at lists.sourceforge.net
Subject: Snort-sigs digest, Vol 1 #55 - 1 msg


Send Snort-sigs mailing list submissions to
	snort-sigs at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.sourceforge.net/lists/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
	snort-sigs-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-sigs-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."


Today's Topics:

   1. Question on alert formats. (Daniel Swan)

--__--__--

Message: 1
Date: Sun, 19 Aug 2001 15:41:24 -0700
From: "Daniel Swan" <swan_daniel at ...76...>
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Question on alert formats.

Some time ago, I wrote "snort2html", a program that parses alerts and
outputs them to a nicely formatted HTML page.

Over time as snort and alert formats have changed, my program has become
increasingly less useful.  Now that it is time to revisit the issue, and
update my program, I find some of the alert formats to be somewhat
unstandardized.

As an example, I would like to provide these two alerts:

Aug 14 10:43:08 h24-64-249-20 snort[12945]: [1:1243:1]  WEB-IIS ISAPI .ida
attem
pt [Classification: Attempted Administrator Privilege Gain   Priority: 10]:
24.6
4.224.161:4472 -> 24.64.249.20:80


Aug 14 10:44:43 h24-64-249-20 snort[12945]: ICMP Destination Unreachable
(Commun
ication Administratively Prohibited) [1:485:1] : 158.43.47.158 ->
24.64.249.20

Note, the [1:???:1] portion comes after the description in one, and before
the description in another.


Of course, I'd like to avoid writing too many different regexps for various
different standards... are there any plans to make these alerts consistent?

Also, what does the [1:???:1] refer to?

Thanks,
Dan.







------------------------------------------------------------
--== Sent via Deja.com ==--
http://www.deja.com/



--__--__--

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-sigs


End of Snort-sigs Digest




More information about the Snort-sigs mailing list