Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Newbies » SYSLOG output format problem.

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

SYSLOG output format problem.


Posted by Bouncing_Bob on March 15, 2005 01:11:00

I've got a 2.3.0 (upgrading to 2.3.2 later today) setup and have run into a problem - there isn't a single SYSLOG output format.

While this may not appear a problem, it is when you're doing automated parsing and import with tools such as Sawmill, that expect a single format.

For instance, the normal format is something like:

Feb 14 18:34:25 gt snort: [1:469:3] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 72.133.139.134 -> 72.133.119.59

However, some output in a different format, without the Classification: or Priority: fields:

Feb 14 17:18:55 gt snort: [122:1:0] (portscan) TCP Portscan {PROTO255} 193.38.113.34 -> 72.133.119.59
Mar 14 21:29:51 snort_0 snort: [116:58:1] (snort_decoder): Experimental Tcp Options found {TCP} 195.160.253.3:34890 -> 195.171.111.174:135

This causes the automated parsing routines to fail :-(

Can anybody suggest where I should be looking in the source to "fix" this, so that there's always a Classification and Priority field?

TIA

Posted by roesch on March 19, 2005 17:37:06

You need to look at the SID block. That thing that says "[1:439:1]" or whatever is the unique ID number for a Snort event. The first number is the generator ID, the component within Snort that generated the alert. GID 1 is the primary detection engine, all alerts produced by the detection engine should have the same format. GIDs over 100 are typically produced by the preprocessors (although GID 116 was used for the Snort decoder, which is probably not what should have been used in retrospect).

Anyway, if you want to discriminate between output formats, look at the first number in the SID block. For reference, the different GID numbers and event numbers outside the primary detection engine are all laid out in the generators.h file in the src directory of the tarball.

-Marty


site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.