Re: snortlog parsing

From: Stuart Staniford (stuart@silicondefense.com)
Date: 10/09/01


Message-ID: <3BC32854.4E8FE0FD@silicondefense.com>
Date: Tue, 09 Oct 2001 09:39:48 -0700
From: Stuart Staniford <stuart@silicondefense.com>
To: John Ellingsworth <jellings@mail.med.upenn.edu>
Subject: Re: snortlog parsing

I'm not sure I exactly understand the question (feel free to clarify).

I assume you mean the detailed packet dumps that Snort produces?
Snortsnarf turns these into web pages and links to them (from web pages
derived from the alert logs). However, it doesn't really parse them to
extract the information for use in some other way.

Snortsnarf is at http://www.silicondefense.com/snortsnarf/

Stuart.

John Ellingsworth wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Does anyone know of a perl script available that parses the default
> snort logs, not the alert files?
>
> I'd like to know before I start writing one myself . . .
>
> john
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBO7yVyAbexkNIm1OFEQK9iwCg+gLBhy7Z6p2rhxN7085hvzOMTK4AnRsU
> xYGYcnwScaYy9Sq8UuvWbeHV
> =XNcg
> -----END PGP SIGNATURE-----

-- 
Stuart Staniford     ---     President     ---     Silicon Defense
         ** Silicon Defense: Technical Support for Snort **
mailto:stuart@silicondefense.com  http://www.silicondefense.com/
(707) 445-4355 x 16                           (707) 445-4222 (FAX)



Relevant Pages

  • How to configure snort to use with snortsnarf?
    ... I've installed "snort" and it's up and running. ... "snortsnarf" to get HTML output... ... output in a format that snortsnarf can read. ...
    (freebsd-questions)
  • Re: rpc.statd attack before ipfw activated
    ... I think this is the LINUX Ramen/Lion/Adore worm in action. ... The NOPs ... I use snortsnarf with snort; snortsnarf gives you Web lookups for the ...
    (FreeBSD-Security)
  • RE: AIM
    ... I am in the process of writing a web interface that will go through ... and parse all this data and make it all search able. ... amount of matches it just makes sense to log to a database. ... >perhaps I could use snort, but how could I reassemble the conversations? ...
    (Security-Basics)