[Snort-users] email notification scripts
larosa, vjay
larosa_vjay at ...3331...
Fri Jan 3 05:13:09 EST 2003
This is an example of the output,
# ./Daily-IDS-Report.pl
IDS Event Statistics.
Event Name Number of Events
SCAN UPNP service discover attempt 32110
SHELLCODE x86 NOOP 19709
SHELLCODE x86 unicode NOOP 8917
POP3 PASS overflow attempt 5227
POP3 USER overflow attempt 3784
SHELLCODE x86 stealth NOOP 2434
RPC mountd UDP exportall request 2332
DNS zone transfer 1258
WEB-MISC robots.txt access 842
WEB-CLIENT javascript URL host spoofing attempt 828
TELNET access 758
SHELLCODE x86 inc ebx NOOP 756
WEB-MISC net attempt 447
RPC portmap UDP proxy attempt 411
WEB-CGI count.cgi access 386
WEB-ATTACKS mail command attempt 359
ATTACK RESPONSES id check returned root 208
RPC mountd TCP exportall request 177
WEB-MISC ICQ Webfront HTTP DOS 129
POP3 AUTH overflow attempt 109
RPC mountd UDP export request 98
VIRUS Klez Incoming 95
RSERVICES rsh root 84
FTP CWD overflow attempt 63
WEB-CGI cgiwrap access 60
WEB-MISC nc.exe attempt 58
WEB-MISC intranet access 57
DDOS mstream client to handler 56
WEB-MISC login.htm access 40
WEB-MISC cisco /%% DOS attempt 38
SHELLCODE sparc setuid 0 33
WEB-ATTACKS cc command attempt 32
WEB-ATTACKS /bin/ps command attempt 31
POP3 LIST overflow attempt 27
WEB-MISC handler access 26
FTP wu-ftp bad file completion attempt [ 25
WEB-MISC /exchange/root.asp access 23
NETBIOS Fun Love NTLDR 23
NETBIOS Fun Love flcss.exe 22
WEB-MISC RBS ISP /newuser access 19
WEB-MISC cd.. 18
SHELLCODE x86 setgid 0 18
ORACLE all_tables access 16
SHELLCODE x86 EB OC NOOP 15
EXPLOIT ntpdx overflow attempt 15
EXPLOIT CDE dtspcd exploit attempt 14
ATTACK RESPONSES http dir listing 13
WEB-MISC apache ?M=A directory list attempt 12
SHELLCODE x86 setuid 0 12
DDOS shaft client to handler 11
WEB-FRONTPAGE _vti_rpc access 11
TELNET login incorrect 11
BAD TRAFFIC udp port 0 traffic 11
DOS DB2 dos attempt 10
WEB-CGI /cgi-bin/ access 9
WEB-CGI ad.cgi access 9
WEB-MISC ftp attempt 8
NETBIOS Samba clientaccess 8
WEB-CGI finger access 8
WEB-MISC /home/ftp access 8
NETBIOS Possible NTLDR modification 8
FTP CWD ~<CR><NEWLINE> attempt 7
WEB-MISC Transfer-Encoding: chunked 7
WEB-IIS _vti_inf access 7
WEB-MISC plusmail access 6
WEB-CGI htsearch access 5
WEB-IIS ISAPI .idq attempt 5
WEB-CGI cvsweb.cgi access 5
POP3 APOP overflow attempt 5
WEB-CGI register.cgi access 5
BAD TRAFFIC same SRC/DST 5
WEB-CGI swc access 5
Virus - Possible scr Worm 4
WEB-MISC Domino domcfg.nsf access 4
WEB-IIS asp-dot attempt 4
WEB-CGI upload.pl access 4
WEB-MISC Domino names.nsf access 3
VIRUS Klez in POP MIME attachment 3
WEB-CLIENT Outlook EML access 3
ATTACK RESPONSES command completed 2
Virus - Possible pif Worm 2
WEB-CGI db2www access 2
MS-SQL/SMB sa login failed 2
DNS SPOOF query response with ttl: 1 min. and no authority 2
WEB-IIS _mem_bin access 2
WEB-ATTACKS perl execution attempt 2
WEB-PHP php.exe access 2
FTP SITE overflow attempt 2
WEB-IIS webdav file lock attempt 2
WEB-CGI eXtropia webstore access 2
WEB-CGI icat access 2
WEB-MISC /home/www access 2
WEB-CGI eXtropia webstore directory traversal 2
MISC MS Terminal server request (RDP) 1
MS-SQL xp_reg* - registry access 1
WEB-MISC Lotus EditDoc attempt 1
WEB-MISC telnet attempt 1
WEB-IIS ISAPI .idq access 1
WEB-MISC DELETE attempt 1
WEB-CGI formmail access 1
WEB-IIS encoding access 1
WEB-IIS .... access 1
WEB-CGI phf access 1
WEB-CGI Web Shopper shopper.cgi access 1
SCAN myscan 1
WEB-PHP directory.php access 1
WEB-CGI archie access 1
WEB-MISC /.... 1
WEB-MISC jigsaw dos attempt 1
WEB-CGI AlienForm af.cgi access 1
FTP invalid MODE 1
WEB-IIS .asp Transfer-Encoding: chunked 1
WEB-COLDFUSION ?Mode=debug attempt 1
DDOS mstream handler to client 1
DDOS TFN Probe 1
WEB-MISC musicat empower access 1
SQL Server Scan 1
Total Number of Events: 82475
-----Original Message-----
From: Ryan Ordway [mailto:ryan at ...7885...]
Sent: Thursday, January 02, 2003 6:34 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] email notification scripts
I've recently moved from an alert logging based Snort system to a
MySQL based logging Snort system. Previously I had a script that would
parse the alert file periodically and email the output to me if certain
conditions existed (certain rules had been matched). Now of course, there
is no alerts file to parse.
Is there a script available online somewhere that will connect to
the database and run a query to list all alerts logged in the last x
amount of time? I'm trying to write one myself, but not having much luck
unfortunately.... maybe something to use as an example?
Thanks muchly,
Ryan
--
ryan at ...7885...
HELO... my name is root... you have SIGKILLed my father... prepare to vi!
Hi! Can you to speak to me the learn for to speak the Unix?
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
More information about the Snort-users
mailing list