[Snort-users] A Working Logsurfer Example for Snort 2.0

Edin Dizdarevic edin.dizdarevic at ...7509...
Fri May 23 16:38:04 EDT 2003

Welldone, Matt!

I may use it but for now I am only looking for priority 1 events and
problems like lost connection to the DB or crashes. Maybe I can send you
that ones tomorow, if you wish.

Logsurfer is a pretty cool thing. For more on regular expressions I
can recommend the O'Reilly book Mastering Regular Expressions. If you
want to learn how to write good (=fast) regex take a look, it's a great
book and really a not boring one.

However, I've noticed a strange thing with logsurfer. With big rule
files (> 200 lines) it may crash for some reason. I have one such file
for my /var/log/messages, writing many comments, in order to remember
later, what I have done. I used to use many empty lines in between the
rules too. After the file reached 250 lines logsurfer crashed again and
again, with a strange error message. Instead of empty lines I put '#'
and logsurfer was doing fine, then.

Just in case...

Best regards,


Matt Howell wrote:
> All...
> A few weeks ago, I posted a message asking if anyone had a set of
> logsurfer rules that worked with Snort 2.0 that was worth sharing. 
> After failing to receive a response from anyone, I am posting the rules
> that I came up with in the hopes that it might be helpful for others. 
> By no means are these officially endorsed by the Snort project or
> logsurfer, but instead its just one example of what someone is actually
> using in production.  I am fairly green to logsurger / regex, so there
> may be better ways to handle some of these events.  I tried to include
> somewhat logical comments, as well.  If you find something that works
> better for you, please let me know because I would like to improve on
> this over time.
> -Matt Howell
> mhowell at ...9084...
> [...]
Edin Dizdarevic

More information about the Snort-users mailing list