[Snort-users] Portscan log parser/reporter - update

Andrew Daviel andrew at ...523...
Mon Jun 4 18:20:18 EDT 2001


I've made a few changes/improvements to my portscan.log analyzer/reporter,
viz.

Add support for mailing dshield.org
Fold multiple scans from one source address into one report.
Add support for re-trying returned email to an alternate contact
Try to recurse assignments in ARIN and APNIC
Iterate on resolved address to look for an MX record

So far, since 7 May, it has mailed to 82 unique addresses to report 102
scans, of which I've received positive confirmation (as in mail from
a person confirming a breakin) of about 4.
An address was found or guessed for 102 out of 119 alerts.

(Oh yes, and one slightly embarrassing false alert from an NFS data
transfer)

http://andrew.triumf.ca/pub/security/reporter/

-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security at ...524...






More information about the Snort-users mailing list