Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Handling Scans.

From: Bill Munger <bmunger () LIGHTSHIPMAIL NET>
Date: Mon, 12 Feb 2001 16:18:08 -0500
abel wisman wrote:


Has (in addition to the question already asked) anybody mae (perhaps) a
automated system based on for instance iplog, snort or tripwire, where mail
is generated to do this automatically?

would be an interesting feature


A while back, I started a script to do this. I abandoned it however
without really finishing it, but what I do have is pasted here.
Basically it gets the contact email for the IP given on the command
line. Doesn't help much for RIPE or APNIC addresses though, and it's
kind of clumsy, but it does work. Anyway, here it is if anybody is
interested:

---CUT HERE----
#!/usr/bin/perl

my $email;
my @save;
my $handle;
my $host = $ARGV[0] || die "please specify a host IP address.\n";

$email = q_arin( $host );

if ($email) {
  print "$email\n";
}

else {
  for ($i=0; $i < scalar(@save); $i++) {
    if ($save[$i] =~ /single\ out\ one\ record/) {
      for ($j=1; $j>0; $j++) {
        $save[$i-$j] =~ /\((.*)\)/;
        if ($1) {
          $handle = $1;
          last;
        }
      }
      print q_arin( "\!$handle" ), "\n";
    }
  }
}

sub q_arin {
  my $t = shift;
  my $addr = undef;
  open WHOIS, "whois $t\@rs.arin.net|";
  while (<WHOIS>) {
    my $line = $_;
    push @save, $line;
    $line =~ /([^\s]+\@[^\s]+)/;
    $addr = $1 if ($1);
  }
  return $addr;
}
Previous By Date Next
Previous By Thread Next

Current thread: