[Snort-users] Process Snort alerts on real time

Marcin Dulak marcin.dulak at ...11827...
Wed Feb 22 10:03:18 EST 2017


On Wed, Feb 22, 2017 at 1:22 PM, Nora Aron <valeparatodo at ...11827...> wrote:

> *http://seclists.org/snort/2017/q1/11
>> <http://seclists.org/snort/2017/q1/11>*
>
>
> Thanks Marcin,
> Yes, that is great for static logs. But unfortunately my problem is not
> the same than in that thread, unless there is something that I
> misunderstood.
> I also could obtain the content of the packet in hexadecimal from
> u2Spewfoo ( after parsing it ).
> But, u2Spewfoo is only for static logs as well. So I am trying to use the
> SpoolEventReader from ids-tools that provides you real time events,
> already converted to a readable format. The problem is that this tools
> provide the packet info in some kind of binary raw that I don't know how to
> process.
> I add an extract as an example
> *\x00!\xd7j\xe4\x00RT\x00\xfc\xa9\xf6*
>

are you getting "Failed to encode record as JSON: __init__() got an
unexpected keyword argument 'encoding'"?
i think this is due to https://github.com/jasonish/py-idstools/issues/36
Fetch the latest python-idstools or just remove , encoding="latin-1" from
the highlighted line from
/usr/lib/python2.7/site-packages/idstools/scripts/u2eve.py (or where it
lives on your distribution):
https://github.com/jasonish/py-idstools/blob/5862a936af07b37458b1fc3719f9ade065b283f1/idstools/scripts/u2eve.py#L302


Marcin


>
> I could use both u2spewfoo or the combination of tools you proposed if I
> had the event in unified2 from SpoolEventReader, but this is not the case.
>
> Thanks
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170222/bb43a2dc/attachment.html>


More information about the Snort-users mailing list