Correlation with Scripts/DB Question.

["Vinay A. Mahadik" <VAMahadik () lbl gov>]

I have only tried SnortSnarf as of now, but it didn't help. Before
trying further, I decided to ask first..

All I want to do is this - For a given Snort 'alert' file, for Each+All
(sip, none/dip) Pair(s) in it the entire file, generate an output like -

"sip[k1], none/dip[k2], timestamp[k3], sid, sport, dport[k4]"

for the entire alert file. The [ki]s indicate the sort keys and the
level (primary, secondary etc). Order of k3 and k4 should ideally be
swticheable.

As you might see, I want to see the *time-sequence* of alerts (sid's)
triggered by a sip on a particular dip (which might be
none=entire_network for portscans e.g.) for all such (sip, dip) pairs
present.

Anything does that? Or should one resort to awk/sed/perl scripts for
such. 

Do let me know if that's possible/already-done. If you have scripts that
extract this info from the alerts file, I would really appreciate a
copy.

Thanks,
Vinay.

--
Vinay A. Mahadik
Summer Intern
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 495 2618


-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users