[Snort-sigs] Question on alert formats.
hoagland at ...79...
Tue Aug 21 11:37:05 EDT 2001
>Some time ago, I wrote "snort2html", a program that parses alerts
>and outputs them to a nicely formatted HTML page.
>Over time as snort and alert formats have changed, my program has
>become increasingly less useful. Now that it is time to revisit the
>issue, and update my program, I find some of the alert formats to be
>As an example, I would like to provide these two alerts:
>Aug 14 10:43:08 h24-64-249-20 snort: [1:1243:1] WEB-IIS
>ISAPI .ida attem
>pt [Classification: Attempted Administrator Privilege Gain
>Priority: 10]: 24.6
>4.224.161:4472 -> 22.214.171.124:80
>Aug 14 10:44:43 h24-64-249-20 snort: ICMP Destination
>ication Administratively Prohibited) [1:485:1] : 126.96.36.199 -> 188.8.131.52
>Note, the [1:???:1] portion comes after the description in one, and
>before the description in another.
>Of course, I'd like to avoid writing too many different regexps for
>various different standards... are there any plans to make these
>Also, what does the [1:???:1] refer to?
Not an answer to your question, but possibly some help nevertheless.
You might consider using an input module as described in the
SnortSnarf input module API. See:
SnortFileInput.pm, part of SnortSnarf, is one such module, and can
accept full alert, fast alert, syslog, and portscan log entries.
There is also an IDMEF input module in the works.
Using this, you can largely ignore the parsing issues. Feel free to
contact me with any questions.
It's probably just a dream, but maybe whenever the alert format gets
changed, the corresponding input module would be updated by the same
person or a different one. And when a new output format is added, a
new input module could be created. That way SnortSnarf and whoever
else uses the same API could parse it immediately.
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* hoagland at ...80... *|
|* http://www.silicondefense.com/ *|
|* Silicon Defense - Technical Support for Snort *|
|* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
More information about the Snort-sigs