[Snort-users] Highlighting an IP address in an alert/log

Peter Bates Peter.Bates at ...79...
Tue May 21 03:56:02 EDT 2002


Hello all...

This might seem like an odd request/thing to want to do,
but here I go, anyway...

I have a large group of (about 200+ lines, I think) of 
networks expressed in the usual way in a file, e.g.

w.x.y.z/16

These are networks I'm particularly interested in noticing
activity from ...

I have a Perl script, using Net::NetMask, which I presently pass logs
through, but it could trivially take, say, an IP address on STDIN, and

then return an error status depending on whether the IP 'matched'
the list or not.

Is there any way of doing this internally in snort (like essentially
having
the Perl script as a 'helper', or should I just look at something to
wrap
around my logs? (I'd naturally like to do it 'real-time' as I normally
watch
Snort syslogging, while also preserving the logs in other ways).

If I held all of the networks, I suppose I could just have a generic
rule to alert on traffic 'from' the nets... it's just that it is a very
big list :)

Thanks for any suggestions.




--------------------------------------------------------------------------------------------------->
Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-927 2124 / Fax: 0207- 636 9838 




More information about the Snort-users mailing list