[Snort-users] Alert on new IP in use?

James Riden j.riden at ...11179...
Wed Aug 3 20:25:01 EDT 2005

Jason Benway <benwaynet at ...11827...> writes:

> I would like to see your script.

Usage is:

/usr/sbin/p0f -i eth0 -N -q -U -l | perl p0f-day.pl

with p0f version 2. This script is designed to run for a day and then
quit, as that's when my logs roll...

You will need to change "m/^10\.0\./" to match the networks you care
about - this will watch for stuff in 10.0/16.

Any questions, let me know. (I know it sucks, but I'd rather get RNA
than fix this.)


== cut here - p0f-day.pl ==
use Socket;


while ($line=<STDIN>)

    ($ip,$os) = split(m/ - /,$line);

    ($ip,$port) = split(m/:/,$ip);

    ($ip, $hop) = split(m/ /, $ip, 2);

    if ($ip=~m/^10\.0\./) {

        if ($oslist{$ip} eq "") {

            $name  = gethostbyaddr(inet_aton($ip), AF_INET);

            $name =~ s/([^\.]+).*/$1/;

            print STDERR "$name,$ip,$os\r\n";


    if ($g>(24*3600))
== cut here - p0f-day.pl ==
James Riden / j.riden at ...11179... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/

More information about the Snort-users mailing list