[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: [Snort-users] acid v0.9.5 addon.
From: Blake Frantz <blake () mc ! net>
Date: 2001-06-28 20:26:02
[Download RAW message or body]
Hello,
When the snort portscan preprocessor triggers it creates a log called
'portscan.log.' The contents of this log, which are the scanned hosts, are
ignored by ACID. I made the following changes to enable the user to view
this data:
at line 980 in acid_pkt_sqlcalls.php I made the following changes:
<original>
else
echo ' <A HREF="acid_app_faq.php#1">unknown</A>';
</original>
<changed>
else {
if( ereg("spp_portscan:.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)", $myrow[2],$store)) {
echo '<a href="acid_show_ps.php?ip='.$store[1].'">'.$store[1].'</a> ';
}else {
echo ' <A HREF="acid_app_faq.php#1">unknown</A>';
}
}
</changed>
If there alert is a portscan, it searches for the IP and places it in the
'Source Address' column.
I then created the file acid_show_ps.php which can be downloaded from:
http://www.packethack.com/snort/acid_show_ps.php
an example of the output can be seen at:
http://www.packethack.com/snort/output_example.html
acid_show_ps.php takes the contents of 'portscan.log' and puts it in table
format.
You can also download the source from:
http://www.packethack.com/snort/acid_show_ps.php
I through it together rather quickly so any improvments are welcome.
Blake Frantz
=================================================================
The Government, like diapers, should be replaced regularly, and
often for the same reasons.
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic