in reply to Parsing Snort Binary Files

I know there is a File::Tail but I do not think this works for binary, only for ascii.

It shouldn't be hard to copy it and change it's definition of "line" to match a Snort log record.

Replies are listed 'Best First'.
Re^2: Parsing Snort Binary Files
by Illuminatus (Curate) on Jun 17, 2011 at 01:25 UTC
    I took a quick look at the code, and it would be a little complicated, but not too bad. It does newline processing in lots of places, which you would have to change. However at its core it does sysreads to fill its buffer, so the type of data is immaterial. And look on the bright side: if you re-do it as File::Tail::Snort, you could have you very own package on cpan, and your name would live in infamy :)

    fnord

[reply]

      Haha this is my first ever work with Perl so it would probably be a big task for me to rewrite it, but I'll still still take a look.

      I am left with a couple options so far: 1. Snort logs to a regular ascii file that will work with File::Tail 2. Snort logs to pcap binary files that can be one or multiple log files but for one file, I wouldn't be able to use a continuous file.

      What my boss wants is to create a parsed log about every 24 hours with the data acquired. I guess to start off, would this be better to implement on one continuous log? or would it be better to lets say, tell Snort to stop once the file is xx MB and then parse each of those?

      I am not really sure how to approach this problem as you can see. There are a couple options but I cant determine which road to take.

[reply]

In Section Seekers of Perl Wisdom