[Snort-users] upgraded some tools (snortplot)

Angelos Karageorgiou angelos at ...788...
Mon Oct 29 01:54:01 EST 2001


Brian wrote:
> 
> According to Angelos Karageorgiou:
> > Well the syslog version is really tough to apply a regex onto it
> > to normalize the output, Expect that some of the scripts will be broken
> >
> > It is not so much a snort problem more like a problem of the people who
> > write the rules, they do not have a consistent logging scheme for the
> > errors they display. So sometimes you have warings in square brackets
> > other times two warnings in square brackets etc.
> 
> What do you mean?  Can you give some examples?  If it isn't done in a
> standard way, it can probably be changed.
> 

OK I will try to find some examples , all these appear in my syslog:

first of all 

=============
Oct 22 08:48:19 cat snort[1050]: [1:485:1] ICMP Destination Unreachable
(Communication Administratively Prohibited) {ICMP} 193.92.130.201 ->
193.92.44.194

Oct 22 09:27:14 cat snort[1050]: [1:499:1] MISC Large ICMP Packet
[Classification: Potentially Bad Traffic] [Priority: 2]: {ICMP} 205.160.52.52
-> 193.92.44.194

Oct 22 12:46:02 cat snort[1050]: [1:480:1] ICMP PING speedera {ICMP}
63.251.167.2 -> 193.92.44.194

=============

IN the two above lines , both for ICMP traffic, one uses parentheses and one
uses square brackets,
and the third line has neither parens nor quotes.

This I consider inconsistent, But I would like to hear your opinion.

It forces me, and some other people I gues to write a lot of cruft to get the
data needed to process
the logs.

======================================================
Oct 22 12:11:14 cat snort[1050]: [1:160:1] BACKDOOR NetMetro Incoming Traffic
{TCP} 212.205.66.197:5031 -> 193.92.44.194:1420

Oct 22 12:11:34 cat snort[1050]: [1:1227:1] X11 outgoing [Classification:
Unknown Traffic] [Priority: 1]: {TCP} 212.205.66.197:6000 ->
193.92.44.194:3417

=================

In the first line above there is NO classification within square brackets.
Most other logging is
done with the form [Classification: xxxxxxx] [Priority?: x]: 

This again is inconsistent.

I do not mean to belittle anybody's work here, I am just saying that maybe we
need
a rule creation metaengine, probably based on M4 or some macro language which
will
generate the rules.

Remember what sendmail was forced to do when manually mangling .cf files got
out of hand ?




More information about the Snort-users mailing list