Windows SNORT XML Logs

["Jason Withrow" <jwithrow () attbi com>]

I have written a script that transforms the xml log files that snort
generates into well-formed xml files.
For some reason the Snort generated XML isn't well formed, it contains
an invalid document type def. and is missing the closing tag of the
documentElement.

It also groups the logs by IP, instead of by timestamp like mine seems
to be doing.

So instead of having a bunch of logs that look like: output-0424@0311
You will instead have logs that look like: 24.141.40.251.xml

If you would like this script just email me, and I will be happy to pass
it along.

A bit of warning though, this took about 30 mins to write and it has
some kinks.

It took about 2 mins to gen 28 xml files from 7 output logs and consumed
a ton of memory.

Should be fine for now if you schedule it to run at 3am daily and you
don't have 8 million large output files.

I will definitely rewrite it to get the resources consumed down to a
more acceptable level, but it works for me for now.

I just hated trying to sort thru those output files and I couldn't even
apply an XSL style sheet to it because the output xml was not
well-formed.

I should also have an XSL Template in the next day or so.

Peace,

Jason Withrow

http://www.originalsweep.com/jason
jwithrow () attbi com


"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." 
Benjamin Franklin