Why is a Snort log file displayed wrong when read in from Perl?
I am writing a Perl program to read a Snort log file. I run Fedora 14 using VMware.
When using the command /usr/loca/bin/snort -r /var/log/snort/snort.log.1299686068
I get the result:
03/08-21:16:03.609258 172.16.115.87:4159 -> 205.181.112.67:80
TCP TTL:63 TOS:0x0 ID:3588 IpLen:20 DgmLen:385 DF
***AP*** Seq: 0xEB6DE4B0 开发者_运维技巧Ack: 0xD00D0DA6 Win: 0x7D78 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/08-21:16:03.627973 205.181.112.67:80 -> 172.16.115.87:4159
TCP TTL:64 TOS:0x0 ID:2458 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xD00D0DA6 Ack: 0xEB6DE609 Win: 0x7E87 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/08-21:16:03.651503 205.181.112.67:80 -> 172.16.115.87:4159
TCP TTL:64 TOS:0x0 ID:2459 IpLen:20 DgmLen:978 DF
***AP*** Seq: 0xD00D0DA6 Ack: 0xEB6DE609 Win: 0x7FE0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+^C
*** Caught Int-Signal
03/08-21:16:03.654590 205.181.112.67:80 -> 172.16.115.87:4159
TCP TTL:64 TOS:0x0 ID:2460 IpLen:20 DgmLen:40
***A***F Seq: 0xD00D1150 Ack: 0xEB6DE609 Win: 0x7FE0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
The destination and source IP address and more information is listed, but when I use Perl to write a program to read them, what list out is unknown symbol.
Isn't the log file protected by Snort or what else could be the problem? It is not exactly 100% displaying the result same as in the 1st example but at least clearly list out everything.
My code is:
#!/usr/local/bin/perl
use File::Tail;
opendir L_FOL, "/var/log/snort" || die "Could not open LOGFOLDER direcotry\n $!";
my @allrule = grep {/^snort.log./} readdir L_FOL;
close L_FOL;
foreach my $rulefile (@allrule) {
open(LF, "/var/log/snort/$rulefile") or die "$!";
while (<LF>) {
print "$_\n";
}
close(LF);
}
Your Snort log files are in a binary (tcpdump) format. You can't just read them as text.
If you want to do that, you'd need to tell snort to write them as ASCII with the -K ascii
option.
The problem is, that may cause you problems with snort being able to keep up. The better option is to simply pipe the output of snort into your perl program and read that:
open(LF, "/usr/local/bin/snort -r /var/log/snort/$rulefile|") or die "$!";
Note that this is very old perl syntax and really shouldn't be used any longer. You should be avoiding barewords and using the three argument open()
open(my $lf, "-|", "/usr/local/bin/snort -r /var/log/snort/$rulefile") or die "$!";
while (<$lf>) {
...
}
精彩评论