[Snort-users] Portscan log parser/reporter
andrew at ...523...
Wed May 2 14:41:21 EDT 2001
Does the world need another of these ? Well, anyhow:
I had been running snortsnarf on both alert and portscan logs, but
recently it had been blowing up because of all these wide scans (I've
been getting DNS scans across 50,000 addresses).
Most of the SNort alerts I get are, I'm fairly certain, bogus, result
from people forging our unused addresses, or I don't care, e.g. ICMP port
unreachable, IIS Unicode attack, ftp (we use it), outgoing xterm (that
too) etc. But I still keep logs around for backtracking.
However, it's fairly clear that the scans, at least to large numbers of
addresses, are real, and I've been trying to report them.
I was wasting too much time doing it by hand, and they really should
be reported quickly if at all, so I have finally written a couple of
scripts to do it for me.
These are now available for others to use and improve:
There are 2 scripts; one that reads /var/log/portscan.log
every hour and makes a (not-very-pretty) HTML summary.
It also determines if a scan is worth reporting (over 200
addresses, or over 200 privileged ports - I was getting false
positives from large NFS and ftp data transfers)
and sends an email message to the second script, plus myself.
The second script tries to determine the owner of the address.
If it resolves, it tries to send mail to the RFC 2142 role account "abuse"
for the domain. ".com" is easy, but 2-letter TLDs are more complex.
I try to deal with .co.uk, .ac.uk, .co.jp, .xx.ca but have probably
missed a lot.
If it doesn't resolve, it tries to find a domain from an Apache or
Sendmail banner. Many sites in Asia do not resolve and these tricks often work.
If they don't, it uses whois and tries to build a role address,
otherwise uses the address given.
I was thinking to try whois and rwhois servers at the domain, e.g. hosting
companies, if they exist but didn't write the code as last time I tried
exodus or verio was rejected.
Ideally, I should have a script to handle replies and non-delivery
messages and update the contact database or iterate through "postmaster"
and domain whois contacts, but that hasn't been written either.
Some of this I know is similar to the geektools proxy and the forwarding
system at abuse.net. I haven't tried a direct comparison.
(I recently had a reply from someone who'd moved ISP but they hadn't
updated the RDNS yet, so you can't always trust it ..)
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security at ...524...
More information about the Snort-users