November 25, 2014
Hot Topics:

Super Glue: Using Perl to Develop a Cheap Network Framework

  • November 16, 2005
  • By Brad Lhotsky
  • Send Email »
  • More Articles »

A Simple Example

A really simple syslog-ng compatible parser might look something like this:

use strict;

#
# Precook regular expressions to save recompile time.
my %regex = (
   'meta' => {
      empty   => qr/^s*$/
   },
   'mesg' => {
      date    => qr/(w+s+d+s+d+:d+:d+)/,
      host    => qr/s+d+:d+:d+s+(S+)/,
      facility=> qr/s+d+:d+:d+s+S+s+([^:]+):/,
      mesg    => qr/s+d+:d+:d+s+S+s+[^:]+:s+(.*)/
   }
);

while( local $_ = <> ) {
   chomp;                            # Strip the new line
   next if /$regex{meta}{blank}/;    # Skip empty lines

   #
   # Build a hash from our regex:
   my %mesg = ();
   foreach my $field (keys %{ $regex{mesg} }) {
      if(/$regex{mesg}{$field}/) {
         $mesg{$field} = $1;
      }

   }

   #
   # Now %mesg might look something like this:
   #
   # %mesg = (
   #    date     => 'Oct 18 22:02:50',
   #    host     => 'idssensor',
   #    facility => 'snort',
   #    mesg     => '[1:2466:6] NETBIOS SMB-DS IPC$ unicode
   #                share access
   #    [Classification: Generic Protocol Command Decode]
   #    [Priority: 3]:
   #    {TCP} 10.0.2.150:1372 -> 10.0.2.154:445'
}

Calling the Parser with Syslog-ng

Earlier, I mentioned the syslog-ng "program" destination. It's actually far too easy to configure. First, you need to make the perl script executable; for me it was 'chmod +x parser.pl'. Then, you just add it to the syslog-ng config file:

destination d_perl { program("/path/to/the/parser.pl");};

All that line does is tell syslog-ng to start the program during startup. Incidentally, no messages are passed through to it. To send messages to the parser, you need to create a "log" entry in the config file. For your main example, you're going to focus on messages from snort, so you'll also use the following "filter" to just send your parser your snort messages.

filter f_snort { program("snort"); };

Now, you put your sources through a filter and out to a destination.

log { source(s_tcp); source(s_udp); filter(f_snort);
      destination(d_perl); };

Now, if you restart syslog-ng, incoming messages from TCP and UDP client from snort will be passed to your parser.

Don't Touch that Dial

Okay, you're bored. Well, it's about to get more interesting. Now that you have the basic concepts, the next article will dig into extracting data from the snort messages, and storing them somewhere in a way that makes it possible to build on.

Build on? Yes, currently I'm integrating my network's DHCPD logs and Windows Event Success Audit for the login system into my database. Once things are in databases, I can correlate, analyze, and start incorporating all kinds of external data. NMS, Ticketing Systems, E-Mail, and commercial or open source firewalls can all be interfaced with through perl. Individually, these systems are useful, but when working together, they can eliminate tedious tasks and leave a network administrator time to focus on solving problems and contributing more crazy ideas to the programmer's patchwork Network & Security Management Console.

Please contact me with input because I will try to answer questions and incorporate your ideas into the next few articles in this series. At the end the series, I'll include an archive of source code for you to play with.

About the Author

Brad Lhotsky is a Software Developer whose focus is primarily web based application in Perl and PHP. He has over 5 years experience developing systems for end users and system and network administrators. Brad has been active on Perl beginner's mailing lists and forums for years, attempting to give something back to the community.



Page 2 of 2



Comment and Contribute

 


(Maximum characters: 1200). You have characters left.

 

 


Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

Sitemap | Contact Us

Rocket Fuel