Highlighting an IP address in an alert/log

["Peter Bates" <Peter.Bates () lshtm ac uk>]

Hello all...

This might seem like an odd request/thing to want to do,
but here I go, anyway...

I have a large group of (about 200+ lines, I think) of 
networks expressed in the usual way in a file, e.g.

w.x.y.z/16

These are networks I'm particularly interested in noticing
activity from ...

I have a Perl script, using Net::NetMask, which I presently pass logs
through, but it could trivially take, say, an IP address on STDIN, and

then return an error status depending on whether the IP 'matched'
the list or not.

Is there any way of doing this internally in snort (like essentially
having
the Perl script as a 'helper', or should I just look at something to
wrap
around my logs? (I'd naturally like to do it 'real-time' as I normally
watch
Snort syslogging, while also preserving the logs in other ways).

If I held all of the networks, I suppose I could just have a generic
rule to alert on traffic 'from' the nets... it's just that it is a very
big list :)

Thanks for any suggestions.




--------------------------------------------------------------------------------------------------->
Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-927 2124 / Fax: 0207- 636 9838 

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users