[Snort-users] DNS on Log Messsages?

spy guy spyguy703 at ...741...
Wed Jan 15 09:03:03 EST 2003


Here is an alternative. Its a perl script that can perform lookups on
certain alerts. 



***************

#!/usr/bin/perl

# usage:
# lookup.pl -a <alert name> -f <log file name> -t -r
# -f the name of the log file that contains the alert
#    information, defaults to STDIN
# -a either the full or a partial name for the alert
#    that we're interested in
# -r do a reverse lookup and make sure it matches what
#    we just got (not implemented)
# -t print a time stamp

use Getopt::Std;
use Socket;

$usage = "Usage: $0 [ -t -r ] -a <alert name> [ -f <log file> ]\n";
@ARGV >= 1 or die $usage;

getopts("f:a:rt");

unless (defined $opt_a) {
  print "-a not defined\n";
  print "Please specify the alert name on the command line.\n";
  die;
}

$opt_f = "-" unless defined $opt_f;
open(STDIN, "< $opt_f") or die "Can't open $opt_f: $!/n";

while(<STDIN>) {
  if (/$opt_a/) {
    chomp;
    my ($time, $junk, $src, $dst);
    ($time, $junk, $junk, $alert, $junk, $junk, $junk, $junk, $src,
$junk, $dst) = split(/\s+/);
    my ($src_ip, $src_port) = split(/:/, $src);
    my ($dst_ip, $dst_port) = split(/:/, $dst);
    my $name = gethostbyaddr(inet_aton($dst_ip), AF_INET);
    if ((defined $opt_t) && (defined $name)) {
      print "$time\t$alert\t$dst_ip\t$name\n";
    } elsif (defined $name) {
      print "$alert\t$dst_ip\t$name\n";
    } elsif (defined $opt_t) {
      print "$time\t$alert\t$dst_ip\tDID NOT RESOLVE\n";
    } else {
      print "$alert\t$dst_ip\tDID NOT RESOLVE\n";
    }
  }
}


***************








On Tue, 2003-01-14 at 06:14, Erek Adams wrote:
> On Tue, 14 Jan 2003, Mike Koponick wrote:
> 
> > I was wondering if there was a way to resolve IP addresses into names from
> > the SNORT.LOG file. That is, this is the log that SNORT outputs now:
> >
> > 01/13-18:39:12.868701 [**] [1:384:4] ICMP PING [**] [Classification: Misc
> > activity] [Priority: 3] {ICMP} 192.168.11.21 -> 192.168.11.2
> >
> > I would like log to look something like:
> >
> > 01/13-18:39:12.868701 [**] [1:384:4] ICMP PING [**] [Classification: Misc
> > activity] [Priority: 3] {ICMP} 192.168.11.21 (MYPC.MYDOMAIN.COM)->
> > 192.168.11.2 (THEREPC.MYDOMAIN.COM)
> 
> Snort can't do that.  DNS resolution is something that takes _time_.  If
> you have to lookup 500 IP's, and there's a 50ms wait for each one...  That
> starts to mount up rather quickly.  Snort needs all it's time and power to
> snarf packets.
> 
> You could use a sed/awk script and post process the logs.  That would be
> a bit better as you're not making the Snort process do all the work.  If
> you could, I would even suggest doing that off of your sensor.  Do it on a
> backend box with a local caching DNS server.
> 
> Cheers!
> 
> -----
> Erek Adams
> 
>    "When things get weird, the wierd turn pro."   H.S. Thompson
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
> are you planning your Web Server Security? Click here to get a FREE
> Thawte SSL guide and find the answers to all your  SSL security issues.
> http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list