Re: [Wallfire-users] Help!

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, Feb 20, 2003 at 11:55:09AM -0500, Tim Sailer wrote:

> > >  I have logs from 2 sources I want to look at, snort (1.9.0 from a Debian 
> > > box) and Pix, from a Pix 535. wflogs doesn't seem to know how to read
> > > either of the logs. I'm using the alert file fril snort, and remote
> > > syslog entries from the Pix. Does anyone have pointers?
> > 
> > What exact command line are you using for each file?

> two tries for snort,
> wflogs -i snort /var/log/snort/alert | wflogs -i any /var/log/snort/alert
> 
> and a similar commandline for the Pix.
> > You can also join one line of each file for test purpose, if needed...

> OK, from snort:
> 
> 02/20-11:53:08.057888  [**] [1:1287:5] WEB-IIS scripts access [**] [Classification: access to a potentially vulnerable web application] [Priority: 2] {TCP} 63.240.211.155:12245 -> 192.168.1.1:80
> 
> >From Pix:
> 
> Feb 19 00:13:41 pike.local %PIX-2-106006: Deny inbound UDP from 181.30.226.168/1030 to 192.168.1.179/137 on interface outside 

Ok, I see exactly what's going on. I didn't exactly rely on the same
format files than you. You (or I) have really no luck, I'm sorry. ;-)
But I come with a temporary solution, so I hope you'll forgive me.

I'm very interested with your feedback.
Don't hesitate if you have other problems.

****************
For snort:

wflogs expects a snort log coming from syslog... so maybe I should do
something to also recognize directly generated alert files...
That will certainly be in the next release...
But for the moment, you could try to log it to syslog, or write a short
perl script to add "syslog information" to your lines in order to
parse them correcty. Here's the little one I just wrote:
(note that it requires libtime-piece-perl)

$ cat snortalert2syslog
#!/usr/bin/perl -w
use Time::Piece;
while (<>) {
  my ($str) = ($_ =~ /^([^.]*)\./);
  my $t = Time::Piece->strptime($str, "%m/%d-%T");
  print $t->strftime("%b %d %T"), " myhost snort: $_\n";
}

But it isn't sufficient, as a little too much paranoia in the current
checks prevent this from working (though this will be fixed in the
next release). So for the moment you have to turn off the strict checking.

So, for the moment, use:
$ ./snortalert2syslog < yoursnortlogs | wflogs --strict-parsing=loose -i snort -

****************

For Pix:

wflogs expects ": PIX-". Well, it's because my working test file is
PIX-4, and yours is PIX-2. However, expecting only " PIX-" (without
':') does the job. This will be fixed in the next release as well.

So, for the moment, use:
$ sed 's/ %PIX-/:&/' < yourpixlogs | wflogs -i cisco_pix -

 Herve

-- 
 _
(°=  Hervé Eychenne
//)
v_/_ WallFire project:  http://www.wallfire.org/