[Snort-sigs] Question on alert formats.

James Hoagland hoagland at ...79...
Tue Aug 21 11:37:05 EDT 2001


>Some time ago, I wrote "snort2html", a program that parses alerts 
>and outputs them to a nicely formatted HTML page.
>
>Over time as snort and alert formats have changed, my program has 
>become increasingly less useful.  Now that it is time to revisit the 
>issue, and update my program, I find some of the alert formats to be 
>somewhat unstandardized.
>
>As an example, I would like to provide these two alerts:
>
>Aug 14 10:43:08 h24-64-249-20 snort[12945]: [1:1243:1]  WEB-IIS 
>ISAPI .ida attem
>pt [Classification: Attempted Administrator Privilege Gain 
>Priority: 10]: 24.6
>4.224.161:4472 -> 24.64.249.20:80
>
>
>Aug 14 10:44:43 h24-64-249-20 snort[12945]: ICMP Destination 
>Unreachable (Commun
>ication Administratively Prohibited) [1:485:1] : 158.43.47.158 -> 24.64.249.20
>
>Note, the [1:???:1] portion comes after the description in one, and 
>before the description in another.
>
>
>Of course, I'd like to avoid writing too many different regexps for 
>various different standards... are there any plans to make these 
>alerts consistent?
>
>Also, what does the [1:???:1] refer to?

Dan,

Not an answer to your question, but possibly some help nevertheless. 
You might consider using an input module as described in the 
SnortSnarf input module API.  See:

   http://www.silicondefense.com/software/snortsnarf/modularized/

SnortFileInput.pm, part of SnortSnarf, is one such module, and can 
accept full alert, fast alert, syslog, and portscan log entries. 
There is also an IDMEF input module in the works.

Using this, you can largely ignore the parsing issues.  Feel free to 
contact me with any questions.

It's probably just a dream, but maybe whenever the alert format gets 
changed, the corresponding input module would be updated by the same 
person or a different one.  And when a new output format is added, a 
new input module could be created.  That way SnortSnarf and whoever 
else uses the same API could parse it immediately.

Best regards,

   Jim

-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...80...                *|
|*              http://www.silicondefense.com/              *|
|*      Silicon Defense - Technical Support for Snort       *|
|*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|




More information about the Snort-sigs mailing list