Snort mailing list archives
Portscan log parser/reporter
From: Andrew Daviel <andrew () andrew triumf ca>
Date: Wed, 2 May 2001 11:41:21 -0700 (PDT)
Does the world need another of these ? Well, anyhow: I had been running snortsnarf on both alert and portscan logs, but recently it had been blowing up because of all these wide scans (I've been getting DNS scans across 50,000 addresses). Most of the SNort alerts I get are, I'm fairly certain, bogus, result from people forging our unused addresses, or I don't care, e.g. ICMP port unreachable, IIS Unicode attack, ftp (we use it), outgoing xterm (that too) etc. But I still keep logs around for backtracking. However, it's fairly clear that the scans, at least to large numbers of addresses, are real, and I've been trying to report them. I was wasting too much time doing it by hand, and they really should be reported quickly if at all, so I have finally written a couple of scripts to do it for me. These are now available for others to use and improve: http://andrew.triumf.ca/pub/security/reporter/ There are 2 scripts; one that reads /var/log/portscan.log every hour and makes a (not-very-pretty) HTML summary. It also determines if a scan is worth reporting (over 200 addresses, or over 200 privileged ports - I was getting false positives from large NFS and ftp data transfers) and sends an email message to the second script, plus myself. The second script tries to determine the owner of the address. If it resolves, it tries to send mail to the RFC 2142 role account "abuse" for the domain. ".com" is easy, but 2-letter TLDs are more complex. I try to deal with .co.uk, .ac.uk, .co.jp, .xx.ca but have probably missed a lot. If it doesn't resolve, it tries to find a domain from an Apache or Sendmail banner. Many sites in Asia do not resolve and these tricks often work. If they don't, it uses whois and tries to build a role address, otherwise uses the address given. I was thinking to try whois and rwhois servers at the domain, e.g. hosting companies, if they exist but didn't write the code as last time I tried exodus or verio was rejected. Ideally, I should have a script to handle replies and non-delivery messages and update the contact database or iterate through "postmaster" and domain whois contacts, but that hasn't been written either. Some of this I know is similar to the geektools proxy and the forwarding system at abuse.net. I haven't tried a direct comparison. (I recently had a reply from someone who'd moved ISP but they hadn't updated the RDNS yet, so you can't always trust it ..) -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 security () triumf ca _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan log parser/reporter Andrew Daviel (May 02)