[Snort-users] Problem using honeysuckle

Maetzky, Steffen (Extern) Steffen.Maetzky at ...11508...
Mon Jul 19 03:25:17 EDT 2004


I'm testing honeysuckle to find out how it works because I have no
I have made a nessus scan on localhost to get a .nsr file.
I have moved the print line of honeysuckle.pl into the last if statement
(after $priority++).

If I start honeysuckle with ./honeysuckle.pl .nsr sid-msg.map < log.csv I
get a message like that: no log.csv.

If I create an empty one I can start honeysuckle but after adding some
print-statement for debugging it seems to me that the last function: foreach
my $line (<STDIN>)
Is never entered.

Does anyone know why? Is it because of an empty log.csv? 

Thanks in advance,


# honeysuckle - Vulnerability Correlation with snort & nessus
# Copyright (C) 2002 Brian Caswell <bmc at ...950...>
# "Any sufficiently advanced technology is indistinguishable from a simple
# script"
# honeysuckle is an implementation of IDS alert & vulnerabity correlation
# on snort alerts & nessus scan.  We modify our priority in attempt to get
# monitor jockies to focus on the really important stuff.
# I don't know about you, but when someone is shooting bullets at me, I
# would like to know they are shooting at me, even if they miss.
# (If you want to be dumb, err... ignore attacks that "you are not
# to" move the print line to be inside of the last if statement)
# This code uses Nessus reports and snort's sig-msg.map to handle mappings
# via CVE maps.  We take CSV input of the following format:
#    srcip,dstip,priority,event

use strict;

if (@ARGV ne 2) {print "Usage : $0 output.nsr sid-msg.map < log.csv\n";

open(NSR,    $ARGV[0]) || die "Ack, your NSR isn't there!\n";
open(SIDMAP, $ARGV[1]) || die "Ack, your sig-msg.map isn't there!\n";

my (%vulnerabilities, %sigs);

foreach my $line (<NSR>) {
   if ($line =~
     /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*\;CVE : (\w{3}-\d{4}-\d+)\;/)
      $vulnerabilities{$1}{$2} = 1;

foreach my $line (<SIDMAP>) {
   next if ($line =~ /^\s*\#/);
   my ($sid, $msg, @refs) = split (/ \|\| /, $line);
   foreach my $ref (@refs) {
      if ($ref =~ /^cve,(.*)$/) {
         $sigs{$msg}{$1} = 1;
         # $sids{$sid}{$1} = 1; 	# Got sids?  try using these...

foreach my $line (<STDIN>) {
   my ($srcip, $dstip, $priority, $event) = split (/,/, $line);
   if ($sigs{$event}) {
      foreach my $cve (%{$sigs{$event}}) {
         if ($vulnerabilities{$srcip}{$cve} ||
$vulnerabilities{$dstip}{$cve}) {
	    print "$srcip,$dstip,$priority,$event\n";
   #the print statement is originaly placed here

More information about the Snort-users mailing list