|
Home > Archive > Snort > September 2004 > [Snort-users] RE: Perl script that Generates Snort Raw Events
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[Snort-users] RE: Perl script that Generates Snort Raw Events
|
|
| Kamal Ahmed 2004-09-25, 5:50 pm |
| This is a multi-part message in MIME format.
------_=_NextPart_001_01C4A319.0DBB0135
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
-----Original Message-----
From: Kamal Ahmed
Sent: Fri 9/24/2004 11:26 AM
To: 'snort-users@lists.sourceforge.net'
Subject: PERL script that Generates Snort Raw Events
=20
Hi,
I would like to know if there is a PERL script that Generates Snort Raw =
Events, e.g. :
Full Format:
07/16/-2-08:06:26.464649 [**] [1:716:5] TELNET access [**] =
[Classification: Not Suspicious Traffic] [Priority: 3] {TCP} =
172.16.112.50:23 -> 135.13.216.191:1026
07/16/-2-08:23:39.630057 [**] [1:716:5] TELNET access [**] =
[Classification: Not Suspicious Traffic] [Priority: 3] {TCP} =
172.16.112.50:23 -> 135.13.216.191:1588
07/16/-2-08:34:18.399673 [**] [117:1:1] (spp_portscan2) Portscan =
detected from 195.73.151.50: 6 targets 6 ports in 19 seconds [**] {TCP} =
195.73.151.50:2111 -> 172.16.113.105:25
Fast Format:
06/01/-2-08:04:50.992467 [**] [117:1:1] (spp_portscan2) Portscan =
detected from 172.16.114.148: 1 targets 21 ports in 14 seconds [**] =
{TCP} 172.16.114.148:20 -> 194.7.248.153:1812
06/01/-2-08:05:07.895030 [**] [1:716:5] TELNET access [**] =
[Classification: Not Suspicious Traffic] [Priority: 3] {TCP} =
172.16.112.50:23 -> 135.8.60.182:1941
06/01/-2-08:06:48.768633 [**] [117:1:1] (spp_portscan2) Portscan =
detected from 197.218.177.69: 1 targets 21 ports in 12 seconds [**] =
{TCP} 197.218.177.69:20 -> 172.16.113.204:1306
06/01/-2-08:07:13.845382 [**] [1:716:5] TELNET access [**] =
[Classification: Not Suspicious Traffic] [Priority: 3] {TCP} =
172.16.112.50:23 -> 135.8.60.182:2064
06/01/-2-08:16:27.920109 [**] [117:1:1] (spp_portscan2) Portscan =
detected from 135.8.60.182: 6 targets 6 ports in 5 seconds [**] {TCP} =
135.8.60.182:2120 -> 172.16.114.168:25
06/01/-2-08:21:44.335582 [**] [117:1:1] (spp_portscan2) Portscan =
detected from 135.13.216.191: 6 targets 7 ports in 6 seconds [**] {TCP} =
135.13.216.191:2186 -> 172.16.114.169:25
As well as Syslog Format ( I do not have any example)
I would appreciate any info/help.
Thanks,
-Kamal.=20
------_=_NextPart_001_01C4A319.0DBB0135
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7226.0">
<TITLE>RE: PERL script that Generates Snort Raw Events</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<BR>
<BR>
<P><FONT SIZE=3D2>-----Original Message-----<BR>
From: Kamal Ahmed<BR>
Sent: Fri 9/24/2004 11:26 AM<BR>
To: 'snort-users@lists.sourceforge.net'<BR>
Subject: PERL script that Generates Snort Raw Events<BR>
<BR>
Hi,<BR>
<BR>
I would like to know if there is a PERL script that Generates Snort Raw =
Events, e.g. :<BR>
<BR>
Full Format:<BR>
<BR>
07/16/-2-08:06:26.464649 [**] [1:716:5] TELNET access [**] =
[Classification: Not Suspicious Traffic] [Priority: 3] {TCP} =
172.16.112.50:23 -> 135.13.216.191:1026<BR>
07/16/-2-08:23:39.630057 [**] [1:716:5] TELNET access [**] =
[Classification: Not Suspicious Traffic] [Priority: 3] {TCP} =
172.16.112.50:23 -> 135.13.216.191:1588<BR>
07/16/-2-08:34:18.399673 [**] [117:1:1] (spp_portscan2) Portscan =
detected from 195.73.151.50: 6 targets 6 ports in 19 seconds [**] {TCP} =
195.73.151.50:2111 -> 172.16.113.105:25<BR>
<BR>
Fast Format:<BR>
<BR>
06/01/-2-08:04:50.992467 [**] [117:1:1] (spp_portscan2) Portscan =
detected from 172.16.114.148: 1 targets 21 ports in 14 seconds [**] =
{TCP} 172.16.114.148:20 -> 194.7.248.153:1812<BR>
06/01/-2-08:05:07.895030 [**] [1:716:5] TELNET access [**] =
[Classification: Not Suspicious Traffic] [Priority: 3] {TCP} =
172.16.112.50:23 -> 135.8.60.182:1941<BR>
06/01/-2-08:06:48.768633 [**] [117:1:1] (spp_portscan2) Portscan =
detected from 197.218.177.69: 1 targets 21 ports in 12 seconds [**] =
{TCP} 197.218.177.69:20 -> 172.16.113.204:1306<BR>
06/01/-2-08:07:13.845382 [**] [1:716:5] TELNET access [**] =
[Classification: Not Suspicious Traffic] [Priority: 3] {TCP} =
172.16.112.50:23 -> 135.8.60.182:2064<BR>
06/01/-2-08:16:27.920109 [**] [117:1:1] (spp_portscan2) Portscan =
detected from 135.8.60.182: 6 targets 6 ports in 5 seconds [**] {TCP} =
135.8.60.182:2120 -> 172.16.114.168:25<BR>
06/01/-2-08:21:44.335582 [**] [117:1:1] (spp_portscan2) Portscan =
detected from 135.13.216.191: 6 targets 7 ports in 6 seconds [**] {TCP} =
135.13.216.191:2186 -> 172.16.114.169:25<BR>
<BR>
As well as Syslog Format ( I do not have any example)<BR>
<BR>
<BR>
I would appreciate any info/help.<BR>
<BR>
Thanks,<BR>
<BR>
-Kamal.<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C4A319.0DBB0135--
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Lawrence Waterhouse 2004-09-25, 5:50 pm |
| sneeze.pl - Snort False-Positive Generator
http://www.securiteam.com/tools/5DP0T0AB5G.html
L. Waterhouse
________________________________________
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Kamal =
Ahmed
Sent: September 25, 2004 12:02 PM
To: Kamal Ahmed; snort-users@lists.sourceforge.net
Subject: [Snort-users] RE: PERL script that Generates Snort Raw Events
-----Original Message-----
From: Kamal Ahmed
Sent: Fri 9/24/2004 11:26 AM
To: 'snort-users@lists.sourceforge.net'
Subject: PERL script that Generates Snort Raw Events
Hi,
I would like to know if there is a PERL script that Generates Snort Raw
Events, e.g. :
Full Format:
07/16/-2-08:06:26.464649=A0 [**] [1:716:5] TELNET access [**] =
[Classification:
Not Suspicious Traffic] [Priority: 3] {TCP} 172.16.112.50:23 ->
135.13.216.191:1026
07/16/-2-08:23:39.630057=A0 [**] [1:716:5] TELNET access [**] =
[Classification:
Not Suspicious Traffic] [Priority: 3] {TCP} 172.16.112.50:23 ->
135.13.216.191:1588
07/16/-2-08:34:18.399673=A0 [**] [117:1:1] (spp_portscan2) Portscan =
detected
from 195.73.151.50: 6 targets 6 ports in 19 seconds [**] {TCP}
195.73.151.50:2111 -> 172.16.113.105:25
Fast Format:
06/01/-2-08:04:50.992467=A0 [**] [117:1:1] (spp_portscan2) Portscan =
detected
from 172.16.114.148: 1 targets 21 ports in 14 seconds [**] {TCP}
172.16.114.148:20 -> 194.7.248.153:1812
06/01/-2-08:05:07.895030=A0 [**] [1:716:5] TELNET access [**] =
[Classification:
Not Suspicious Traffic] [Priority: 3] {TCP} 172.16.112.50:23 ->
135.8.60.182:1941
06/01/-2-08:06:48.768633=A0 [**] [117:1:1] (spp_portscan2) Portscan =
detected
from 197.218.177.69: 1 targets 21 ports in 12 seconds [**] {TCP}
197.218.177.69:20 -> 172.16.113.204:1306
06/01/-2-08:07:13.845382=A0 [**] [1:716:5] TELNET access [**] =
[Classification:
Not Suspicious Traffic] [Priority: 3] {TCP} 172.16.112.50:23 ->
135.8.60.182:2064
06/01/-2-08:16:27.920109=A0 [**] [117:1:1] (spp_portscan2) Portscan =
detected
from 135.8.60.182: 6 targets 6 ports in 5 seconds [**] {TCP}
135.8.60.182:2120 -> 172.16.114.168:25
06/01/-2-08:21:44.335582=A0 [**] [117:1:1] (spp_portscan2) Portscan =
detected
from 135.13.216.191: 6 targets 7 ports in 6 seconds [**] {TCP}
135.13.216.191:2186 -> 172.16.114.169:25
As well as Syslog Format ( I do not have any example)
I would appreciate any info/help.
Thanks,
-Kamal.
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
|
|
|
|
|