[Snort-users] Re: Snort and Mysql for statistics purposes

Snort Snort at ...13151...
Mon Mar 14 07:04:44 EST 2005


I finished version 1 of mine a while back... I will go back and add more statistics, but I want to build me correlation scripts... here is a couple of snippets from my scripts. Pretty much all you are doing is counting rows and setting the order of listing to descending, then limiting it to the top 10... so if you want to get the top 10 SRC IP's your script can look similar to this:

 

select count(*) AS COUNT,ip_src FROM iphdr GROUP BY ip_src ORDER BY COUNT DESC LIMIT 30

 

in this case I'm getting the Top 30 SRC IP's. you can script that from the command and have it output to a nice little html page reading for viewing.

 

Mysql -h serverip -D database -H -B -e "select count(*) AS COUNT,ip_src FROM iphdr GROUP BY ip_src ORDER BY COUNT DESC LIMIT 30;"

 

-B tells mysql to run as a batch job

-e tells it to execute this command

-H tells it to produce HTML output

 

With the above, here is aline will get you the Top 30 signatures and output it to a html page

 

mysql -h 127.0.0.1 -D IDS -H -B -e "select count(*) AS COUNT,sig_name from event LEFT JOIN signature ON signature = signature.sig_id GROUP BY signature ORDER BY COUNT DESC limit 30;" >> /var/www/html/sig.html

 

 

Thanks,

Michael Brown





  _____  

From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-admin at ...3204...ts.sourceforge.net] On Behalf Of Muhammad Omar Khan
Posted At: Wednesday, March 09, 2005 11:20 PM
Posted To: Snort
Conversation: [Snort-users] Re: Snort and Mysql for statistics purposes
Subject: [Snort-users] Re: Snort and Mysql for statistics purposes
  

Hi all,

It's my first query to a group, i am intended to make a data analysis interface using PHP and MySql and i am stuck at a point i.e how to fetch top 10 records e.g. top 10 source IPs or top 10 Destination ports from mysql database. Can any one please help in this regard, any Mysql commands or something...?

Regards

Omar 

>From: sushant at ...1052... >To: David Jiménez Domínguez <djdsecurity at ...979...11827...> >CC: snort-users at lists.sourceforge.net, honeypots at ...35...,focus-ids at ...35... >Subject: Re: Snort and Mysql for statistics purposes >Date: Wed, 9 Mar 2005 08:53:46 -0500 >MIME-Version: 1.0 >X-Originating-IP: 68.40.48.74 >Received: from [205.206.231.26] ([205.206.231.26]) by mc10-f13.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 9 Mar 2005 06:21:54 -0800 >Received: from no.name.available by [205.206.231.26] via smtpd (for [65.54.166.230] [65.54.166.230]) with ESMTP; Wed, 9 Mar 2005 06:22:02 -0800 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing2.securityfocus.com (Postfix) with SMTP id BA446160961for <chit0z at ...125...>; Wed, 9 Mar 2005 07:11:36 -0700 (MST) >Received: (qmail 20335 invoked by alias); 9 Mar 2005 14:37:46 -0000 >Received: (qmail 14396 invoked from network); 9 Mar 2005 14:10:05 -0000 >X-Message-Info: JGTYoYF78jGFFV1qsmGqmdPXbfSdrgjwFGM4X0g561k= >Mailing-List: contact honeypots-help at ...979...35...; run by ezmlm >Precedence: bulk >X-No-Archive: yes >List-Id: <honeypots.list-id.securityfocus.com> >List-Post: <mailto:honeypots at ...35...> >List-Help: <mailto:honeypots-help at ...35...> >List-Unsubscribe: <mailto:honeypots-unsubscribe at ...35...> >List-Subscribe: <mailto:honeypots-subscribe at ...12665.....> >Delivered-To: mailing list honeypots at ...35... >Delivered-To: moderator for honeypots at ...35... >References: <96ddee4f0503081605765dfb98 at ...13172....> >User-Agent: Internet Messaging Program (IMP) 3.2.7 >X-IMP-Server: 141.211.144.104 >X-Originating-User: sushant >X-Spam-Checker-Version: SpamAssassin 3.0.0-r20550 (2004-05-28) on mail.securityfocus.com >X-Spam-Status: No, score=1.3 required=5.0 tests=NO_REAL_NAME,SPF_HELO_FAIL autolearn=no version=3.0.0-r20550 >X-Spam-Level: * >Return-Path: honeypots-return-3193-chit0z=hotmail.com at ...35... >X-OriginalArrivalTime: 09 Mar 2005 14:21:55.0021 (UTC) FILETIME=[585DB7D0:01C524B3] > >I have used PHP with jpgraph to get real time threat graphs. PHP is very easy to >use with MYSQL and jpgraph is a good graphic tool. >-Sushant. >Quoting David Jiménez Domínguez <djdsecurity at ...11827...>: > > > Hi folks! > > > > I need to graph all the traffic in my network (Top ports, Top src_ip, > > Top attacks) each 5 minutes...In the DataServer I have intalled Mysql > > and in the firewall I have installed snort-2.3.0 and I created just 4 > > rules to get all the tcp,udp,icmp and ip traffic in order to graph it > > with perl and rrdtool and post it in a web page.... > > > > Do you think it is the best way to do that??? > > Have your ever done something like that?? What tools do you recommend me?? > > > > Regards > > > > DJ > > -------------------------------------------------- > > > > > > > > 




  _____  

The new, more precise and more powerful MSN Search is here! Take a tour today. <http://g.msn.com/8HMAENUK/2743??PS=47575>  

------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users at lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050314/ced9c994/attachment.html>


More information about the Snort-users mailing list