[Snort-users] Portscan log parser/reporter - update

Andrew Daviel andrew at ...523...
Mon Jun 4 18:20:18 EDT 2001

I've made a few changes/improvements to my portscan.log analyzer/reporter,

Add support for mailing dshield.org
Fold multiple scans from one source address into one report.
Add support for re-trying returned email to an alternate contact
Try to recurse assignments in ARIN and APNIC
Iterate on resolved address to look for an MX record

So far, since 7 May, it has mailed to 82 unique addresses to report 102
scans, of which I've received positive confirmation (as in mail from
a person confirming a breakin) of about 4.
An address was found or guessed for 102 out of 119 alerts.

(Oh yes, and one slightly embarrassing false alert from an NFS data


Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security at ...524...

More information about the Snort-users mailing list