开发者

Why is a Snort log file displayed wrong when read in from Perl?

I am writing a Perl program to read a Snort log file. I run Fedora 14 using VMware.

When using the command /usr/loca/bin/snort -r /var/log/snort/snort.log.1299686068 I get the result:

03/08-21:16:03.609258 172.16.115.87:4159 -> 205.181.112.67:80
TCP TTL:63 TOS:0x0 ID:3588 IpLen:20 DgmLen:385 DF
***AP*** Seq: 0xEB6DE4B0  开发者_运维技巧Ack: 0xD00D0DA6  Win: 0x7D78  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/08-21:16:03.627973 205.181.112.67:80 -> 172.16.115.87:4159
TCP TTL:64 TOS:0x0 ID:2458 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xD00D0DA6  Ack: 0xEB6DE609  Win: 0x7E87  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/08-21:16:03.651503 205.181.112.67:80 -> 172.16.115.87:4159
TCP TTL:64 TOS:0x0 ID:2459 IpLen:20 DgmLen:978 DF
***AP*** Seq: 0xD00D0DA6  Ack: 0xEB6DE609  Win: 0x7FE0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+^C

*** Caught Int-Signal
03/08-21:16:03.654590 205.181.112.67:80 -> 172.16.115.87:4159
TCP TTL:64 TOS:0x0 ID:2460 IpLen:20 DgmLen:40
***A***F Seq: 0xD00D1150  Ack: 0xEB6DE609  Win: 0x7FE0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

The destination and source IP address and more information is listed, but when I use Perl to write a program to read them, what list out is unknown symbol.

Isn't the log file protected by Snort or what else could be the problem? It is not exactly 100% displaying the result same as in the 1st example but at least clearly list out everything.

My code is:

#!/usr/local/bin/perl
use File::Tail;
opendir L_FOL, "/var/log/snort" || die "Could not open LOGFOLDER direcotry\n $!";
my @allrule = grep {/^snort.log./} readdir L_FOL;
close L_FOL;
foreach my $rulefile (@allrule) {
    open(LF, "/var/log/snort/$rulefile") or die "$!";
    while (<LF>) {
        print "$_\n";
    }
    close(LF);
}


Your Snort log files are in a binary (tcpdump) format. You can't just read them as text.

If you want to do that, you'd need to tell snort to write them as ASCII with the -K ascii option.

The problem is, that may cause you problems with snort being able to keep up. The better option is to simply pipe the output of snort into your perl program and read that:

open(LF, "/usr/local/bin/snort -r /var/log/snort/$rulefile|") or die "$!";

Note that this is very old perl syntax and really shouldn't be used any longer. You should be avoiding barewords and using the three argument open()

open(my $lf, "-|", "/usr/local/bin/snort -r /var/log/snort/$rulefile") or die "$!";
while (<$lf>) {
...
}
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜