[Snort-users] Looking at "raw" portscan preprocessor "scan" files.

Phil Wood cpw at ...440...
Thu Mar 15 20:36:28 EST 2001


Unix snort users that want to summarize scan files produced by the 
portscan preprocessor might want to try this burnt offering I patched
together.  It uses perl and shell scripts.  Extracting from the tarfile
creates a directory 'summarize-scan-file' in the working directory.

Here is the README:

1. scan-msgs, takes a snort spp_portscan log file and extracts specified fields.
   See: scan-msgs -h

2. Uniq, takes stdin and does the old "sort | uniq -c | sort -rn" trick.
   The twist is that it will put a field separator between the count and line
   produced by uniq -c. (Uniq -t,)

3. scan, some test data resulting from an nmap scan (abbreviated).

4. testit, run this to see how this stuff works together.

Note: when the portscan log file format changes you are on your own.

Now for the attachment.  Or, maybe I'm too late.

Phil Wood, cpw at ...440...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: scan-msgs.tgz
Type: application/x-gtar
Size: 1617 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010315/c9918f44/attachment.gtar>

More information about the Snort-users mailing list