[Snort-users] snort log

abhijat kumar abhijat at ...7386...
Wed Feb 2 08:27:39 EST 2005

I am using "snort-2.1.2" and developing some 
snort log converter to some other IDS format.

I am using regular expression to read different attributes out of snort alert file and want to write on the desired format by mapping to those fields in required sequence.

Problem with me is the snort alert log is not obeying a fixed format. Sometimes some filds are duplicated or some time some fields are chopped off. This is fooling my reader to trap the right fields.


[**] [1:255:8] DNS zone transfer TCP [**]
[Classification: Attempted Information Leak] [Priority: 2]
01/30-14:17:29.361261 ->
TCP TTL:3 TOS:0x0 ID:22132 IpLen:20 DgmLen:90
***AP*** Seq: 0xD91E1232  Ack: 0x3623AA63  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 17475 0
[Xref => http://www.whitehats.com/info/IDS212][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0532]

[**] [1:323:4] FINGER root query [**]
[Classification: Attempted Information Leak] [Priority: 2]
01/30-14:15:51.805430 ->
TCP TTL:3 TOS:0x0 ID:48701 IpLen:20 DgmLen:46
***AP*** Seq: 0x680D8545  Ack: 0x13F44B9C  Win: 0x14F0  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS376]

[**] [105:1:1] spp_bo: Back Orifice Traffic detected (key: 2160) [**]
01/30-14:19:02.377190 ->
UDP TTL:3 TOS:0x0 ID:60672 IpLen:20 DgmLen:49
Len: 21

[**] [1:522:1] MISC Tiny Fragments [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
01/30-14:19:02.377229 ->
UDP TTL:3 TOS:0x0 ID:60672 IpLen:20 DgmLen:28 MF
Frag Offset: 0x0000   Frag Size: 0x0008

[**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**] 12/22-19:15:51.819914 -> TCP TTL:63 TOS:0x0 ID:40674 IpLen:20 DgmLen:132 DF
***AP*** Seq: 0xF6A2D5DF  Ack: 0xF662E276  Win: 0x16D0  TcpLen: 32 TCP Options (3) => NOP NOP TS: 150922 235799904

So you can see the alert fields are out of sequence.
Note also there can be some duplicated fields (same field repeated).

I want to know "why the logs are not in same fashion or sequence" ? Is it problem on my end or this is has some other story. Please guide me out how to trap these fields coherently.


Web-based SMS services available at http://www.operamail.com.

More information about the Snort-users mailing list