FW: Anyone good with sed, awk, perl, php for a script request.....

["Donofrio, Lewis" <donofrio () umich edu>]

This script does a whois and grep's out the "Administrative Contact" to
allow *them* (the ISP of attacker) to notify the user to 'cease and
desist'

> 2.) Does anyone have the ability to craft up a php script or awk or 
> sed or grep script that would create the following email's from the 
> snort logs?  The current script analyzes the 'Attack-list.cvs" to get 
> the info needed then it does a whois on the attacker's IP and queries 
> for Administrative Contact for that subnet and sends them this 
> email....first it emails me so I can authorize that its not a 'False 
> Positive'
>
> ***SNIPPED****
> > ****** Mail sent to: stievano () windnet it at: 7/28/2002 10:55:18 AM 
> > Administrative Contact: stievano () windnet it
> >
> > On 11:44:04 PM,Sunday, July 28, 2002, there were several
> unauthorized
> > attempts to access servers here at the University of Michigan, USA. 
> > The attempts appear to have originated from 212.94.129.152,
> a host in
> > your domain. I'm sending you the portion of our log files
> that alerted
> > us to this breakin attempt. The times indicated are Eastern
> Daylight
> > Time.
> >
> >  Since this activity amounts to trying to gain illegal access to a 
> > government machine across state lines, I appreciate your
> assistance in
> > preventing future intrusion attempts from this machine. Thanks.
> >
> > http://advice.networkice.com/advice/Intrusions/2003013/?port=1
> > 433&reason=RSTsent
> > ********SNIPPED FROM ATTACKLIST.CVS********
> > Severity            1
> > Timestamp (GMT)     2002-07-28 23:44:44
> > IssueId             2003013
> > IssueName           SQL port probe
> > IntruderIp          212.94.129.152
> > IntruderName        SUPROBY
> > VictimIp            198.111.227.57
> > VictimName
> > Attack Parameters   port=1433&reason=RSTsent
> > Attack Count        8
> > Intruder Port       2654
> > Victim Port         1433
> > ********SNIPPED FROM ATTACKLIST.CVS********
> >
> > --Thanks.
> ______________________________________________________________________
> > Lewis       Donofrio () umich edu   College of Literature, 
> Science, & Arts
> > 1007 East Huron, Room 201,  BetaID:243340   Cell: (734) 323-8776
> > Ann Arbor,MI 48104-1690     www.umich.edu/~donofrio Fax:
> > (734) 647-8333
> ***SNIPPED****
>
> 2.5) note above the ATTACK COUNT is Eight!


______________________________________________________________________ 
Lewis   Donofrio () umich edu   College of Literature, Science, & Arts 
1007 East Huron, Room 201,      BetaID:243340   Cell: (734) 323-8776
Ann Arbor,MI 48104-1690 www.umich.edu/~donofrio  Fax: (734) 647-8333 



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users