Re^2: Parsing Snort Binary Files


go ahead... be a heretic
	PerlMonks

Re^2: Parsing Snort Binary Files

by Illuminatus (Curate)

on Jun 17, 2011 at 01:25 UTC ( [id://910058]=note: print w/replies, xml )

Need Help??

in reply to Re: Parsing Snort Binary Files
in thread Parsing Snort Binary Files

I took a quick look at the code, and it would be a little complicated, but not too bad. It does newline processing in lots of places, which you would have to change. However at its core it does sysreads to fill its buffer, so the type of data is immaterial. And look on the bright side: if you re-do it as File::Tail::Snort, you could have you very own package on cpan, and your name would live in infamy :)

fnord

Comment on Re^2: Parsing Snort Binary Files

Replies are listed 'Best First'.

Re^3: Parsing Snort Binary Files
by Anonymous Monk on Jun 17, 2011 at 15:37 UTC

Haha this is my first ever work with Perl so it would probably be a big task for me to rewrite it, but I'll still still take a look.

I am left with a couple options so far: 1. Snort logs to a regular ascii file that will work with File::Tail 2. Snort logs to pcap binary files that can be one or multiple log files but for one file, I wouldn't be able to use a continuous file.

What my boss wants is to create a parsed log about every 24 hours with the data acquired. I guess to start off, would this be better to implement on one continuous log? or would it be better to lets say, tell Snort to stop once the file is xx MB and then parse each of those?

I am not really sure how to approach this problem as you can see. There are a couple options but I cant determine which road to take.

[reply]

In Section Seekers of Perl Wisdom