[Snort-users] Dshield perl script.

Mark Rowlands mark.rowlands at ...752...
Wed Sep 18 22:18:03 EDT 2002


On Wed September 18 2002 15:49, Jaco Lange wrote:
> ** High Priority **
> ** Reply Requested When Convenient **
>
> Hi Mark
>
>
> I tried the perl scrip you written for Snort ACID and MYSQL
> I found it very usesfull, everything works just the IP address is
> returned in a
> funny way, it looks like it in not converted to a ip address format
> xxx.xxx.xx.xx insted I get a Number
>
> Subject FORMAT DSHIELD USERID 12345678 TZ +02:00
>
> 2002-09-17 15:16:00
> +01:00	USERID	1	3232236545	8080	3232236309	1190	TCP
>
>         how do I get this IP ?
>

well I 've written a couple of them now on "a use at your own peril" basis but 
I guess you are missing a lump that looks like ..........


sub getip {
  $ip=inet_ntoa(pack("N", $_[0]));
  return $ip;
}

and possibly 

sub iptoname {
  @numbers = split(/\./, $_[0]);
  $ip_number = pack("C4", @numbers);
  ($name) = (gethostbyaddr($ip_number, 2))[0];
  if ($name) {
    return $name;
    } else {
    $name =$source;
    return $name;
  }
}





More information about the Snort-users mailing list