[Snort-users] FW: Anyone good with sed, awk, perl, php for a script request.....

Donofrio, Lewis donofrio at ...1052...
Mon Aug 12 09:31:11 EDT 2002


This script does a whois and grep's out the "Administrative Contact" to
allow *them* (the ISP of attacker) to notify the user to 'cease and
desist'

> 2.) Does anyone have the ability to craft up a php script or awk or 
> sed or grep script that would create the following email's from the 
> snort logs?  The current script analyzes the 'Attack-list.cvs" to get 
> the info needed then it does a whois on the attacker's IP and queries 
> for Administrative Contact for that subnet and sends them this 
> email....first it emails me so I can authorize that its not a 'False 
> Positive'
> 
> ***SNIPPED****
> > ****** Mail sent to: stievano at ...6509... at: 7/28/2002 10:55:18 AM 
> > Administrative Contact: stievano at ...6509...
> >
> > On 11:44:04 PM,Sunday, July 28, 2002, there were several
> unauthorized
> > attempts to access servers here at the University of Michigan, USA. 
> > The attempts appear to have originated from 212.94.129.152,
> a host in
> > your domain. I'm sending you the portion of our log files
> that alerted
> > us to this breakin attempt. The times indicated are Eastern
> Daylight
> > Time.
> >
> >  Since this activity amounts to trying to gain illegal access to a 
> > government machine across state lines, I appreciate your
> assistance in
> > preventing future intrusion attempts from this machine. Thanks.
> >
> > http://advice.networkice.com/advice/Intrusions/2003013/?port=1
> > 433&reason=RSTsent
> > ********SNIPPED FROM ATTACKLIST.CVS********
> > Severity		1
> > Timestamp (GMT) 	2002-07-28 23:44:44
> > IssueId		2003013
> > IssueName		SQL port probe
> > IntruderIp		212.94.129.152
> > IntruderName	SUPROBY
> > VictimIp		198.111.227.57
> > VictimName
> > Attack Parameters	port=1433&reason=RSTsent
> > Attack Count	8
> > Intruder Port	2654
> > Victim Port		1433
> > ********SNIPPED FROM ATTACKLIST.CVS********
> >
> > --Thanks.
> >
> > 
> ______________________________________________________________________
> > Lewis	Donofrio at ...1052...	College of Literature, 
> Science, & Arts
> > 1007 East Huron, Room 201,	BetaID:243340	Cell: (734) 323-8776
> > Ann Arbor,MI 48104-1690	www.umich.edu/~donofrio	Fax:
> > (734) 647-8333
> ***SNIPPED****
> 
> 2.5) note above the ATTACK COUNT is Eight!


______________________________________________________________________ 
Lewis	Donofrio at ...1052...	College of Literature, Science, & Arts 
1007 East Huron, Room 201,	BetaID:243340	Cell: (734) 323-8776
Ann Arbor,MI 48104-1690	www.umich.edu/~donofrio	 Fax: (734) 647-8333 





More information about the Snort-users mailing list