[Snort-users] Alert on new IP in use?

James Riden j.riden at ...11179...
Wed Aug 3 20:25:01 EDT 2005


Jason Benway <benwaynet at ...11827...> writes:

> I would like to see your script.

Usage is:

/usr/sbin/p0f -i eth0 -N -q -U -l | perl p0f-day.pl

with p0f version 2. This script is designed to run for a day and then
quit, as that's when my logs roll...

You will need to change "m/^10\.0\./" to match the networks you care
about - this will watch for stuff in 10.0/16.

Any questions, let me know. (I know it sucks, but I'd rather get RNA
than fix this.)

cheers,
 Jamie

== cut here - p0f-day.pl ==
#!/usr/local/bin/perl
use Socket;

$f=time();

while ($line=<STDIN>)
{
    chomp($line);

    ($ip,$os) = split(m/ - /,$line);

    ($ip,$port) = split(m/:/,$ip);

    ($ip, $hop) = split(m/ /, $ip, 2);

    if ($ip=~m/^10\.0\./) {

        if ($oslist{$ip} eq "") {

            $name  = gethostbyaddr(inet_aton($ip), AF_INET);

            $name =~ s/([^\.]+).*/$1/;

            $oslist{$ip}=$os;
            $oslistname{$ip}=$name;
            print STDERR "$name,$ip,$os\r\n";
        }
    }

    $g=time()-$f;

    if ($g>(24*3600))
    {
        exit(0);
    }
}
== cut here - p0f-day.pl ==
 
-- 
James Riden / j.riden at ...11179... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/






More information about the Snort-users mailing list