[Snort-users] RE: Perl script that Generates Snort Raw Events

Lawrence Waterhouse lawrence.waterhouse at ...11827...
Sat Sep 25 16:21:39 EDT 2004


sneeze.pl - Snort False-Positive Generator
http://www.securiteam.com/tools/5DP0T0AB5G.html

L. Waterhouse

________________________________________
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Kamal =
Ahmed
Sent: September 25, 2004 12:02 PM
To: Kamal Ahmed; snort-users at lists.sourceforge.net
Subject: [Snort-users] RE: Perl script that Generates Snort Raw Events



-----Original Message-----
From: Kamal Ahmed
Sent: Fri 9/24/2004 11:26 AM
To: 'snort-users at lists.sourceforge.net'
Subject: Perl script that Generates Snort Raw Events

Hi,

I would like to know if there is a Perl script that Generates Snort Raw
Events, e.g. :

Full Format:

07/16/-2-08:06:26.464649=A0 [**] [1:716:5] TELNET access [**] =
[Classification:
Not Suspicious Traffic] [Priority: 3] {TCP} 172.16.112.50:23 ->
135.13.216.191:1026
07/16/-2-08:23:39.630057=A0 [**] [1:716:5] TELNET access [**] =
[Classification:
Not Suspicious Traffic] [Priority: 3] {TCP} 172.16.112.50:23 ->
135.13.216.191:1588
07/16/-2-08:34:18.399673=A0 [**] [117:1:1] (spp_portscan2) Portscan =
detected
from 195.73.151.50: 6 targets 6 ports in 19 seconds [**] {TCP}
195.73.151.50:2111 -> 172.16.113.105:25

Fast Format:

06/01/-2-08:04:50.992467=A0 [**] [117:1:1] (spp_portscan2) Portscan =
detected
from 172.16.114.148: 1 targets 21 ports in 14 seconds [**] {TCP}
172.16.114.148:20 -> 194.7.248.153:1812
06/01/-2-08:05:07.895030=A0 [**] [1:716:5] TELNET access [**] =
[Classification:
Not Suspicious Traffic] [Priority: 3] {TCP} 172.16.112.50:23 ->
135.8.60.182:1941
06/01/-2-08:06:48.768633=A0 [**] [117:1:1] (spp_portscan2) Portscan =
detected
from 197.218.177.69: 1 targets 21 ports in 12 seconds [**] {TCP}
197.218.177.69:20 -> 172.16.113.204:1306
06/01/-2-08:07:13.845382=A0 [**] [1:716:5] TELNET access [**] =
[Classification:
Not Suspicious Traffic] [Priority: 3] {TCP} 172.16.112.50:23 ->
135.8.60.182:2064
06/01/-2-08:16:27.920109=A0 [**] [117:1:1] (spp_portscan2) Portscan =
detected
from 135.8.60.182: 6 targets 6 ports in 5 seconds [**] {TCP}
135.8.60.182:2120 -> 172.16.114.168:25
06/01/-2-08:21:44.335582=A0 [**] [117:1:1] (spp_portscan2) Portscan =
detected
from 135.13.216.191: 6 targets 7 ports in 6 seconds [**] {TCP}
135.13.216.191:2186 -> 172.16.114.169:25

As well as Syslog Format ( I do not have any example)


I would appreciate any info/help.

Thanks,

-Kamal.




More information about the Snort-users mailing list