[Snort-users] email notification scripts

larosa, vjay larosa_vjay at ...3331...
Fri Jan 3 05:13:09 EST 2003

This is an example of the output,

# ./Daily-IDS-Report.pl

IDS Event Statistics.

Event Name                      Number of Events
SCAN UPNP service discover attempt              32110
SHELLCODE x86 NOOP              19709
SHELLCODE x86 unicode NOOP              8917
POP3 PASS overflow attempt              5227
POP3 USER overflow attempt              3784
SHELLCODE x86 stealth NOOP              2434
RPC mountd UDP exportall request                2332
DNS zone transfer               1258
WEB-MISC robots.txt access              842
WEB-CLIENT javascript URL host spoofing attempt         828
TELNET access           758
SHELLCODE x86 inc ebx NOOP              756
WEB-MISC net attempt            447
RPC portmap UDP proxy attempt           411
WEB-CGI count.cgi access                386
WEB-ATTACKS mail command attempt                359
ATTACK RESPONSES id check returned root         208
RPC mountd TCP exportall request                177
WEB-MISC ICQ Webfront HTTP DOS          129
POP3 AUTH overflow attempt              109
RPC mountd UDP export request           98
VIRUS Klez Incoming             95
RSERVICES rsh root              84
FTP CWD overflow attempt                63
WEB-CGI cgiwrap access          60
WEB-MISC nc.exe attempt         58
WEB-MISC intranet access                57
DDOS mstream client to handler          56
WEB-MISC login.htm access               40
WEB-MISC cisco /%% DOS attempt          38
SHELLCODE sparc setuid 0                33
WEB-ATTACKS cc command attempt          32
WEB-ATTACKS /bin/ps command attempt             31
POP3 LIST overflow attempt              27
WEB-MISC handler access         26
FTP wu-ftp bad file completion attempt [                25
WEB-MISC /exchange/root.asp access              23
NETBIOS Fun Love NTLDR          23
NETBIOS Fun Love flcss.exe              22
WEB-MISC RBS ISP /newuser access                19
WEB-MISC cd..           18
SHELLCODE x86 setgid 0          18
ORACLE all_tables access                16
SHELLCODE x86 EB OC NOOP                15
EXPLOIT ntpdx overflow attempt          15
EXPLOIT CDE dtspcd exploit attempt              14
ATTACK RESPONSES http dir listing               13
WEB-MISC apache ?M=A directory list attempt             12
SHELLCODE x86 setuid 0          12
DDOS shaft client to handler            11
WEB-FRONTPAGE _vti_rpc access           11
TELNET login incorrect          11
BAD TRAFFIC udp port 0 traffic          11
DOS DB2 dos attempt             10
WEB-CGI /cgi-bin/ access                9
WEB-CGI ad.cgi access           9
WEB-MISC ftp attempt            8
NETBIOS Samba clientaccess              8
WEB-CGI finger access           8
WEB-MISC /home/ftp access               8
NETBIOS Possible NTLDR modification             8
FTP CWD ~<CR><NEWLINE> attempt          7
WEB-MISC Transfer-Encoding: chunked             7
WEB-IIS _vti_inf access         7
WEB-MISC plusmail access                6
WEB-CGI htsearch access         5
WEB-IIS ISAPI .idq attempt              5
WEB-CGI cvsweb.cgi access               5
POP3 APOP overflow attempt              5
WEB-CGI register.cgi access             5
BAD TRAFFIC same SRC/DST                5
WEB-CGI swc access              5
Virus - Possible scr Worm               4
WEB-MISC Domino domcfg.nsf access               4
WEB-IIS asp-dot attempt         4
WEB-CGI upload.pl access                4
WEB-MISC Domino names.nsf access                3
VIRUS Klez in POP MIME attachment               3
WEB-CLIENT Outlook EML access           3
ATTACK RESPONSES command completed              2
Virus - Possible pif Worm               2
WEB-CGI db2www access           2
MS-SQL/SMB sa login failed              2
DNS SPOOF query response with ttl: 1 min. and no authority              2
WEB-IIS _mem_bin access         2
WEB-ATTACKS perl execution attempt              2
WEB-PHP php.exe access          2
FTP SITE overflow attempt               2
WEB-IIS webdav file lock attempt                2
WEB-CGI eXtropia webstore access                2
WEB-CGI icat access             2
WEB-MISC /home/www access               2
WEB-CGI eXtropia webstore directory traversal           2
MISC MS Terminal server request (RDP)           1
MS-SQL xp_reg* - registry access                1
WEB-MISC Lotus EditDoc attempt          1
WEB-MISC telnet attempt         1
WEB-IIS ISAPI .idq access               1
WEB-MISC DELETE attempt         1
WEB-CGI formmail access         1
WEB-IIS encoding access         1
WEB-IIS .... access             1
WEB-CGI phf access              1
WEB-CGI Web Shopper shopper.cgi access          1
SCAN myscan             1
WEB-PHP directory.php access            1
WEB-CGI archie access           1
WEB-MISC /....          1
WEB-MISC jigsaw dos attempt             1
WEB-CGI AlienForm af.cgi access         1
FTP invalid MODE                1
WEB-IIS .asp Transfer-Encoding: chunked         1
WEB-COLDFUSION ?Mode=debug attempt              1
DDOS mstream handler to client          1
DDOS TFN Probe          1
WEB-MISC musicat empower access         1
SQL Server Scan         1

Total Number of Events: 82475

-----Original Message-----
From: Ryan Ordway [mailto:ryan at ...7885...]
Sent: Thursday, January 02, 2003 6:34 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] email notification scripts

	I've recently moved from an alert logging based Snort system to a
MySQL based logging Snort system. Previously I had a script that would
parse the alert file periodically and email the output to me if certain
conditions existed (certain rules had been matched). Now of course, there
is no alerts file to parse.

	Is there a script available online somewhere that will connect to
the database and run a query to list all alerts logged in the last x
amount of time? I'm trying to write one myself, but not having much luck
unfortunately.... maybe something to use as an example?

	Thanks muchly,


ryan at ...7885...
HELO... my name is root... you have SIGKILLed my father... prepare to vi!

     Hi! Can you to speak to me the learn for to speak the Unix?

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list