[Snort-users] A Working Logsurfer Example for Snort 2.0
edin.dizdarevic at ...7509...
Fri May 23 16:38:04 EDT 2003
I may use it but for now I am only looking for priority 1 events and
problems like lost connection to the DB or crashes. Maybe I can send you
that ones tomorow, if you wish.
Logsurfer is a pretty cool thing. For more on regular expressions I
can recommend the O'Reilly book Mastering Regular Expressions. If you
want to learn how to write good (=fast) regex take a look, it's a great
book and really a not boring one.
However, I've noticed a strange thing with logsurfer. With big rule
files (> 200 lines) it may crash for some reason. I have one such file
for my /var/log/messages, writing many comments, in order to remember
later, what I have done. I used to use many empty lines in between the
rules too. After the file reached 250 lines logsurfer crashed again and
again, with a strange error message. Instead of empty lines I put '#'
and logsurfer was doing fine, then.
Just in case...
Matt Howell wrote:
> A few weeks ago, I posted a message asking if anyone had a set of
> logsurfer rules that worked with Snort 2.0 that was worth sharing.
> After failing to receive a response from anyone, I am posting the rules
> that I came up with in the hopes that it might be helpful for others.
> By no means are these officially endorsed by the Snort project or
> logsurfer, but instead its just one example of what someone is actually
> using in production. I am fairly green to logsurger / regex, so there
> may be better ways to handle some of these events. I tried to include
> somewhat logical comments, as well. If you find something that works
> better for you, please let me know because I would like to improve on
> this over time.
> -Matt Howell
> mhowell at ...9084...
More information about the Snort-users