Snort mailing list archives
Highlighting an IP address in an alert/log
From: "Peter Bates" <Peter.Bates () lshtm ac uk>
Date: Tue, 21 May 2002 11:41:02 +0100
Hello all... This might seem like an odd request/thing to want to do, but here I go, anyway... I have a large group of (about 200+ lines, I think) of networks expressed in the usual way in a file, e.g. w.x.y.z/16 These are networks I'm particularly interested in noticing activity from ... I have a Perl script, using Net::NetMask, which I presently pass logs through, but it could trivially take, say, an IP address on STDIN, and then return an error status depending on whether the IP 'matched' the list or not. Is there any way of doing this internally in snort (like essentially having the Perl script as a 'helper', or should I just look at something to wrap around my logs? (I'd naturally like to do it 'real-time' as I normally watch Snort syslogging, while also preserving the logs in other ways). If I held all of the networks, I suppose I could just have a generic rule to alert on traffic 'from' the nets... it's just that it is a very big list :) Thanks for any suggestions. ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-927 2124 / Fax: 0207- 636 9838 _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Highlighting an IP address in an alert/log Peter Bates (May 21)