[Snort-users] Anyone good with sed, awk, perl, php for a script request.....

Donofrio, Lewis donofrio at ...1052...
Thu Aug 1 12:40:33 EDT 2002


> 2.) Does anyone have the ability to craft up a php script or
> awk or sed or grep script that would create the following 
> email's from the snort logs?  The current script analyzes the 
> 'Attack-list.cvs" to get the info needed then it does a whois 
> on the attacker's IP and queries for Administrative Contact 
> for that subnet and sends them this email....first it emails 
> me so I can authorize that its not a 'False Positive'
> 
> ***SNIPPED****
> > ****** Mail sent to: stievano at ...6509... at: 7/28/2002 10:55:18 AM
> > Administrative Contact: stievano at ...6509...
> >
> > On 11:44:04 PM,Sunday, July 28, 2002, there were several
> unauthorized
> > attempts to access servers here at the University of Michigan, USA.
> > The attempts appear to have originated from 212.94.129.152, 
> a host in
> > your domain. I'm sending you the portion of our log files
> that alerted
> > us to this breakin attempt. The times indicated are Eastern
> Daylight
> > Time.
> >
> >  Since this activity amounts to trying to gain illegal access to a
> > government machine across state lines, I appreciate your 
> assistance in
> > preventing future intrusion attempts from this machine. Thanks.
> >
> > http://advice.networkice.com/advice/Intrusions/2003013/?port=1
> > 433&reason=RSTsent
> > ********SNIPPED FROM ATTACKLIST.CVS********
> > Severity		1
> > Timestamp (GMT) 	2002-07-28 23:44:44
> > IssueId		2003013
> > IssueName		SQL port probe
> > IntruderIp		212.94.129.152
> > IntruderName	SUPROBY
> > VictimIp		198.111.227.57
> > VictimName
> > Attack Parameters	port=1433&reason=RSTsent
> > Attack Count	8
> > Intruder Port	2654
> > Victim Port		1433
> > ********SNIPPED FROM ATTACKLIST.CVS********
> >
> > --Thanks.
> >
> > 
> ______________________________________________________________________
> > Lewis	Donofrio at ...1052...	College of Literature, 
> Science, & Arts
> > 1007 East Huron, Room 201,	BetaID:243340	Cell: (734) 323-8776
> > Ann Arbor,MI 48104-1690	www.umich.edu/~donofrio	Fax:
> > (734) 647-8333
> ***SNIPPED****
> 
> 2.5) note above the ATTACK COUNT is Eight!


______________________________________________________________________ 
Lewis	Donofrio at ...1052...	College of Literature, Science, & Arts 
1007 East Huron, Room 201,	BetaID:243340	Cell: (734) 323-8776
Ann Arbor,MI 48104-1690	www.umich.edu/~donofrio	 Fax: (734) 647-8333 





More information about the Snort-users mailing list