Snort mailing list archives

Previous By Date Next
Previous By Thread Next

A script to store ips and hostnames in the event table

From: Alain Tésio <alain () onesite org>
Date: Mon, 25 Jun 2001 21:25:52 +0200
Hi, I'm not sure if anyone is interested in this,
I've added the ips and the hostnames in the event
table, the fields are updated by a script, see below
for an example.

Get the scripts from ftp://onesite.org/pub/snort.tar.gz
change the connection parameters and launch snort.py,
it updates new rows. Apply the patch in a comment at
the top of snort.py first to add new columns and indexes.

It doesn't reuse already stored resolved hostnames
(they should be in the dns cache, right ?)
If anyone is using it tell me.

I wrote in on Linux Debian with Python 2.1 and
MySQLdb

Alain

mysql> select * from event limit 3;
+-----+-----+----------------------------------------+---------------------+
----------------+----------------+----------------------+-------------------
---+
| sid | cid | signature                              | timestamp           |
ip_src         | ip_dst         | dns_src              | dns_dst
|
+-----+-----+----------------------------------------+---------------------+
----------------+----------------+----------------------+-------------------
---+
|   1 |   1 | ICMP Echo Request CyberKit 2.2 Windows | 2001-05-26 16:28:23 |
172.173.75.254 | 64.242.40.20   | ACAD4BFE.ipt.aol.com | ns.floc.net
|
|   1 |   2 | ICMP Echo Reply                        | 2001-05-26 16:28:23 |
64.242.40.20   | 172.173.75.254 | ns.floc.net          |
ACAD4BFE.ipt.aol.com |
|   1 |   3 | ICMP Echo Request Windows              | 2001-05-26 16:44:06 |
172.173.75.254 | 64.242.40.20   | ACAD4BFE.ipt.aol.com | ns.floc.net
|
+-----+-----+----------------------------------------+---------------------+
----------------+----------------+----------------------+-------------------
---+
3 rows in set (0.01 sec)



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: