[Snort-users] Correlation with Scripts/DB Question.

Vinay A. Mahadik VAMahadik at ...6245...
Tue Aug 13 10:59:04 EDT 2002


I have only tried SnortSnarf as of now, but it didn't help. Before
trying further, I decided to ask first..

All I want to do is this - For a given Snort 'alert' file, for Each+All
(sip, none/dip) Pair(s) in it the entire file, generate an output like -

"sip[k1], none/dip[k2], timestamp[k3], sid, sport, dport[k4]"

for the entire alert file. The [ki]s indicate the sort keys and the
level (primary, secondary etc). Order of k3 and k4 should ideally be
swticheable.

As you might see, I want to see the *time-sequence* of alerts (sid's)
triggered by a sip on a particular dip (which might be
none=entire_network for portscans e.g.) for all such (sip, dip) pairs
present.

Anything does that? Or should one resort to awk/sed/perl scripts for
such. 

Do let me know if that's possible/already-done. If you have scripts that
extract this info from the alerts file, I would really appreciate a
copy.

Thanks,
Vinay.

--
Vinay A. Mahadik
Summer Intern
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 495 2618




More information about the Snort-users mailing list