Snort mailing list archives
Problem using honeysuckle
From: "Maetzky, Steffen (Extern)" <Steffen.Maetzky () gedas de>
Date: Mon, 19 Jul 2004 12:24:02 +0200
Hi, I'm testing honeysuckle to find out how it works because I have no perl-knowledge. I have made a nessus scan on localhost to get a .nsr file. I have moved the print line of honeysuckle.pl into the last if statement (after $priority++). If I start honeysuckle with ./honeysuckle.pl .nsr sid-msg.map < log.csv I get a message like that: no log.csv. If I create an empty one I can start honeysuckle but after adding some print-statement for debugging it seems to me that the last function: foreach my $line (<STDIN>) Is never entered. Does anyone know why? Is it because of an empty log.csv? Thanks in advance, Steffen #!/usr/bin/perl # honeysuckle - Vulnerability Correlation with snort & nessus # # Copyright (C) 2002 Brian Caswell <bmc () snort org> # # "Any sufficiently advanced technology is indistinguishable from a simple perl # script" # # honeysuckle is an implementation of IDS alert & vulnerabity correlation based # on snort alerts & nessus scan. We modify our priority in attempt to get our # monitor jockies to focus on the really important stuff. # # I don't know about you, but when someone is shooting bullets at me, I # would like to know they are shooting at me, even if they miss. # # (If you want to be dumb, err... ignore attacks that "you are not vulnerable # to" move the print line to be inside of the last if statement) # # This code uses Nessus reports and snort's sig-msg.map to handle mappings # via CVE maps. We take CSV input of the following format: # srcip,dstip,priority,event # use strict; if (@ARGV ne 2) {print "Usage : $0 output.nsr sid-msg.map < log.csv\n"; exit;} open(NSR, $ARGV[0]) || die "Ack, your NSR isn't there!\n"; open(SIDMAP, $ARGV[1]) || die "Ack, your sig-msg.map isn't there!\n"; my (%vulnerabilities, %sigs); foreach my $line (<NSR>) { if ($line =~ /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*\;CVE : (\w{3}-\d{4}-\d+)\;/) { $vulnerabilities{$1}{$2} = 1; } } foreach my $line (<SIDMAP>) { next if ($line =~ /^\s*\#/); my ($sid, $msg, @refs) = split (/ \|\| /, $line); foreach my $ref (@refs) { if ($ref =~ /^cve,(.*)$/) { $sigs{$msg}{$1} = 1; # $sids{$sid}{$1} = 1; # Got sids? try using these... } } } foreach my $line (<STDIN>) { chomp($line); my ($srcip, $dstip, $priority, $event) = split (/,/, $line); if ($sigs{$event}) { foreach my $cve (%{$sigs{$event}}) { if ($vulnerabilities{$srcip}{$cve} || $vulnerabilities{$dstip}{$cve}) { $priority++; print "$srcip,$dstip,$priority,$event\n"; } } } #the print statement is originaly placed here } ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problem using honeysuckle Maetzky, Steffen (Extern) (Jul 19)