[Snort-users] One for the Wishlist

A.L.Lambert alambert at ...387...
Fri Aug 25 15:28:11 EDT 2000


> That is exactly my point.  A log parser (or database query in my case)
> can't assign a severity to an event unless you assign the severity to
> events in the parser script.  This would mean re-writing the parser
> for every rule addition.  

	Na, see below. :)

> If the parser can just look at the log and see "Severity=5" it makes
> it much easier to code the parser.

	I think you're making something easy seem too hard by thinking
about it too much. :)  A simple pre-processing job makes all this easy.  
Here's how I do/did it (by no means the "best" or "only" way, just my
example).

1.  Create a couple of files, one for each severity level.  In those
files, put regexp's, one per line for any matching alert message (in my
case, I cut/paste the entire msg: field for any rule that's generating too
much false alert traffic).

2.  egrep -f snort.${alertlevel} snort.alert | parserprogramsandsuch

#	Or if you want a more flexible (but CPU expensive) way of doing
#	it, so you can feed the parser in a single-pass type deal:

	cat snort.alert | while read line ; do
	event="red"
	if test `echo "$line" | egrep -f snort.green` ; then
	event="green"
	elif test `echo "$line" | egrep -f snort.yellow` ; then
	event="yellow"
	fi

	echo "$line:$event" 
	done | parserprogramsandsuch


#
#	All of the above would most likely do much better in perl, but
#	I know not enough perl to make it so. ;)
#

	Since you're doing a database query, it should be a relatively
simple mater to get the datastream of the query passed through some
shell/perl/C/whatever code to assign your requested severity level
variables, before it even hits the parser.

	Anyhoo, that's my 2 cents.  YMMV. :)

-- 
A.L.Lambert





More information about the Snort-users mailing list