diff --git a/suricata/SuricataToIdea.py b/suricata/SuricataToIdea.py
index 082e944c328704280be022bc81747d33d78b53be..c48f41417e45bc8f5d88401c115601634a172b2b 100644
--- a/suricata/SuricataToIdea.py
+++ b/suricata/SuricataToIdea.py
@@ -160,7 +160,7 @@ class IdeaGen(object):
'Anomaly.Application': re.compile("web application(?! Attack)")}
vulnerability_re = re.compile("vulnerability|vulnerable")
- confidence_re = re.compile("(?i)(?:suspicious|possible|potential)")
+ confidence_re = re.compile("(?i)(?:suspicious|most likely|possible|potential)")
confidence_likely_re = re.compile("(?i)most likely")
cve_list_file = open("CVE_list.txt")
@@ -184,7 +184,7 @@ class IdeaGen(object):
event = {
'Format': "IDEA0",
'ID': str(uuid4()),
- 'DetectTime': timestamp,
+ 'DetectTime': timestamp[0:19] + "Z",
'Category': [category] + (["Test"] if self.test else []),
'Note': incident_desription,
}
@@ -233,6 +233,17 @@ class IdeaGen(object):
return event
+def get_logger_files(logger):
+ """ Return file objects of loggers """
+ files = []
+ for handler in logger.handlers:
+ if hasattr(handler, 'stream') and hasattr(handler.stream, 'fileno'):
+ files.append(handler.stream)
+ if hasattr(handler, 'socket') and hasattr(handler.socket, 'fileno'):
+ files.append(handler.socket)
+ return files
+
+
def daemonize(
work_dir=None, chroot_dir=None,
umask=None, uid=None, gid=None,
@@ -399,6 +410,21 @@ def main():
optp.print_help()
sys.exit()
+ log_format = "%(message)s"
+ logger = logging.getLogger()
+ if opts.oneshot:
+ handler = logging.StreamHandler()
+ handler.setFormatter(logging.Formatter("%(asctime)s - " + log_format))
+ else:
+ if "/" in opts.log:
+ handler = logging.handlers.WatchedFileHandler(opts.log)
+ handler.setFormatter(logging.Formatter("%(asctime)s - " + log_format))
+ else:
+ handler = logging.handlers.SysLogHandler(adress="/dev/log", facility=opts.log)
+ handler.setFormatter(logging.Formatter(log_format))
+ logger.addHandler(handler)
+ logger.setLevel(logging.DEBUG if opts.verbose else logging.INFO)
+
if opts.oneshot:
signal.signal(signal.SIGINT, terminate_me)
signal.signal(signal.SIGTERM, terminate_me)
@@ -408,6 +434,7 @@ def main():
pidfile=opts.pid,
uid=opts.uid,
gid=opts.gid,
+ files_preserve = get_logger_files(logger),
signals={
signal.SIGINT: terminate_me,
signal.SIGTERM: terminate_me,
@@ -417,21 +444,6 @@ def main():
filer = Filer(opts.dir)
idea_gen = IdeaGen(opts.name, opts.test)
- log_format = "%(message)s"
- logger = logging.getLogger()
- if opts.oneshot:
- handler = logging.StreamHandler()
- handler.setFormatter(logging.Formatter("%(asctime)s - " + log_format))
- else:
- if "/" in opts.log:
- handler = logging.handlers.WatchedFileHandler(opts.log)
- handler.setFormatter(logging.Formatter("%(asctime)s - " + log_format))
- else:
- handler = logging.handlers.SysLogHandler(address="/dev/log", facility=opts.log)
- handler.setFormatter(logging.Formatter(log_format))
- logger.addHandler(handler)
- logger.setLevel(logging.DEBUG if opts.verbose else logging.INFO)
-
while running_flag:
for log_file in files:
while True:
diff --git a/suricata/get_CVE_list.py b/suricata/get_CVE_list.py
index 2e2c8a7400306e22f87c0f8eb821bc967098e3d9..1c51df72fa6014e7ff91d6d1d6e5f957c199d63b 100644
--- a/suricata/get_CVE_list.py
+++ b/suricata/get_CVE_list.py
@@ -51,7 +51,6 @@ def main():
if processed_rules_list:
processed_rules_file.write("\n".join(sorted(processed_rules_list)))
processed_rules_file.write("\n")
- processed_rules_list = []
if __name__ == "__main__":