[Snort-users] Looking at "raw" portscan preprocessor "scan" files.
cpw at ...440...
Thu Mar 15 20:36:28 EST 2001
Unix snort users that want to summarize scan files produced by the
portscan preprocessor might want to try this burnt offering I patched
together. It uses perl and shell scripts. Extracting from the tarfile
creates a directory 'summarize-scan-file' in the working directory.
Here is the README:
1. scan-msgs, takes a snort spp_portscan log file and extracts specified fields.
See: scan-msgs -h
2. Uniq, takes stdin and does the old "sort | uniq -c | sort -rn" trick.
The twist is that it will put a field separator between the count and line
produced by uniq -c. (Uniq -t,)
3. scan, some test data resulting from an nmap scan (abbreviated).
4. testit, run this to see how this stuff works together.
Note: when the portscan log file format changes you are on your own.
Now for the attachment. Or, maybe I'm too late.
Phil Wood, cpw at ...440...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1617 bytes
Desc: not available
More information about the Snort-users