[Snort-users] A script to store ips and hostnames in the event table

Alain Tésio alain at ...2260...
Mon Jun 25 15:25:52 EDT 2001


Hi, I'm not sure if anyone is interested in this,
I've added the ips and the hostnames in the event
table, the fields are updated by a script, see below
for an example.

Get the scripts from ftp://onesite.org/pub/snort.tar.gz
change the connection parameters and launch snort.py,
it updates new rows. Apply the patch in a comment at
the top of snort.py first to add new columns and indexes.

It doesn't reuse already stored resolved hostnames
(they should be in the dns cache, right ?)
If anyone is using it tell me.

I wrote in on Linux Debian with Python 2.1 and
MySQLdb

Alain

mysql> select * from event limit 3;
+-----+-----+----------------------------------------+---------------------+
----------------+----------------+----------------------+-------------------
---+
| sid | cid | signature                              | timestamp           |
ip_src         | ip_dst         | dns_src              | dns_dst
|
+-----+-----+----------------------------------------+---------------------+
----------------+----------------+----------------------+-------------------
---+
|   1 |   1 | ICMP Echo Request CyberKit 2.2 Windows | 2001-05-26 16:28:23 |
172.173.75.254 | 64.242.40.20   | ACAD4BFE.ipt.aol.com | ns.floc.net
|
|   1 |   2 | ICMP Echo Reply                        | 2001-05-26 16:28:23 |
64.242.40.20   | 172.173.75.254 | ns.floc.net          |
ACAD4BFE.ipt.aol.com |
|   1 |   3 | ICMP Echo Request Windows              | 2001-05-26 16:44:06 |
172.173.75.254 | 64.242.40.20   | ACAD4BFE.ipt.aol.com | ns.floc.net
|
+-----+-----+----------------------------------------+---------------------+
----------------+----------------+----------------------+-------------------
---+
3 rows in set (0.01 sec)






More information about the Snort-users mailing list