snort_stat.pl version 1.15.2.3 parsing problem

["Erik Norman" <erik.norman () ccnox com>]

Hi all,

Having downloaded the very nice program snort_stat.pl (currentversion
1.15.2.3) I get an empty result :(

I'm using Snort 1.8 beta5. Limited debugging makes me conclude that
following lines are not concidered to be in syslog format...


---------
Aug  8 09:20:46 localhost snort: [1:729:1] Virus - Possible scr Worm {TCP}
1.2.3.4:110 -> 5.6.7.8:64359
Aug  8 11:35:39 localhost snort: [1:729:1] Virus - Possible scr Worm {TCP}
1.2.3.4:110 -> 5.6.7.8:61962
Aug  8 13:46:52 localhost snort: [1:499:1] MISC Large ICMP Packet
[Classification: Potentially Bad Traffic] [Priority: 2]: {ICMP} 1.2.3.4 ->
5.6.7.8
Aug  8 15:27:11 localhost snort: [1:257:1] DNS named version attempt
[Classification: Attempted Information Leak] [Priority: 3]: {UDP}
1.2.3.4:2336 -> 5.6.7.8:53
----------


I'm not man enough to parse this regexp...
--snip from snort_stat.pl ---
  # This is syslog format
  if ($_ =~ m/^(\w{3}) \s+ (\d+) \s (\d+) \: (\d+) \: (\d+)\s
      ([\w+\.]*)\s[\w+\/\[\d+\]]*:\s ([^\[^\:]+?)
      (?:\[Classification:([^\]]*?)\s* Priority:\s(\d+)\]|):\s([\d\.]+)[\:]?
      ([\d]*)\s[\-\>]+\s ([\d\.]+)[\:]? ([\d]*)/ox) {
------------------------------

Has the format changed since snort1.8 beta1? Has anyone experienced the same
thing? know of a fix?


Best regards
Erik Norman


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users