Snort mailing list archives
RE: email notification scripts
From: "Mike Koponick" <mike () redhawk info>
Date: Fri, 3 Jan 2003 09:17:49 -0800
Keep in mind that you must install the DBD and DBI modules for Perl, if you already have not done so. You can find these at cpan.org VJay, thanks for the script!! Mike -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of larosa, vjay Sent: Friday, January 03, 2003 8:18 AM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] email notification scripts Okay, To many people responded so I will post the perl script to the whole list. Sorry to those who are not interested. vjl -----Original Message----- From: larosa, vjay [mailto:larosa_vjay () emc com] Sent: Friday, January 03, 2003 8:11 AM To: 'Ryan Ordway'; snort-users () lists sourceforge net Subject: RE: [Snort-users] email notification scripts This is an example of the output, # ./Daily-IDS-Report.pl IDS Event Statistics. Event Name Number of Events SCAN UPNP service discover attempt 32110 SHELLCODE x86 NOOP 19709 SHELLCODE x86 unicode NOOP 8917 POP3 PASS overflow attempt 5227 POP3 USER overflow attempt 3784 SHELLCODE x86 stealth NOOP 2434 RPC mountd UDP exportall request 2332 DNS zone transfer 1258 WEB-MISC robots.txt access 842 WEB-CLIENT javascript URL host spoofing attempt 828 TELNET access 758 SHELLCODE x86 inc ebx NOOP 756 WEB-MISC net attempt 447 RPC portmap UDP proxy attempt 411 WEB-CGI count.cgi access 386 WEB-ATTACKS mail command attempt 359 ATTACK RESPONSES id check returned root 208 RPC mountd TCP exportall request 177 WEB-MISC ICQ Webfront HTTP DOS 129 POP3 AUTH overflow attempt 109 RPC mountd UDP export request 98 VIRUS Klez Incoming 95 RSERVICES rsh root 84 FTP CWD overflow attempt 63 WEB-CGI cgiwrap access 60 WEB-MISC nc.exe attempt 58 WEB-MISC intranet access 57 DDOS mstream client to handler 56 WEB-MISC login.htm access 40 WEB-MISC cisco /%% DOS attempt 38 SHELLCODE sparc setuid 0 33 WEB-ATTACKS cc command attempt 32 WEB-ATTACKS /bin/ps command attempt 31 POP3 LIST overflow attempt 27 WEB-MISC handler access 26 FTP wu-ftp bad file completion attempt [ 25 WEB-MISC /exchange/root.asp access 23 NETBIOS Fun Love NTLDR 23 NETBIOS Fun Love flcss.exe 22 WEB-MISC RBS ISP /newuser access 19 WEB-MISC cd.. 18 SHELLCODE x86 setgid 0 18 ORACLE all_tables access 16 SHELLCODE x86 EB OC NOOP 15 EXPLOIT ntpdx overflow attempt 15 EXPLOIT CDE dtspcd exploit attempt 14 ATTACK RESPONSES http dir listing 13 WEB-MISC apache ?M=A directory list attempt 12 SHELLCODE x86 setuid 0 12 DDOS shaft client to handler 11 WEB-FRONTPAGE _vti_rpc access 11 TELNET login incorrect 11 BAD TRAFFIC udp port 0 traffic 11 DOS DB2 dos attempt 10 WEB-CGI /cgi-bin/ access 9 WEB-CGI ad.cgi access 9 WEB-MISC ftp attempt 8 NETBIOS Samba clientaccess 8 WEB-CGI finger access 8 WEB-MISC /home/ftp access 8 NETBIOS Possible NTLDR modification 8 FTP CWD ~<CR><NEWLINE> attempt 7 WEB-MISC Transfer-Encoding: chunked 7 WEB-IIS _vti_inf access 7 WEB-MISC plusmail access 6 WEB-CGI htsearch access 5 WEB-IIS ISAPI .idq attempt 5 WEB-CGI cvsweb.cgi access 5 POP3 APOP overflow attempt 5 WEB-CGI register.cgi access 5 BAD TRAFFIC same SRC/DST 5 WEB-CGI swc access 5 Virus - Possible scr Worm 4 WEB-MISC Domino domcfg.nsf access 4 WEB-IIS asp-dot attempt 4 WEB-CGI upload.pl access 4 WEB-MISC Domino names.nsf access 3 VIRUS Klez in POP MIME attachment 3 WEB-CLIENT Outlook EML access 3 ATTACK RESPONSES command completed 2 Virus - Possible pif Worm 2 WEB-CGI db2www access 2 MS-SQL/SMB sa login failed 2 DNS SPOOF query response with ttl: 1 min. and no authority 2 WEB-IIS _mem_bin access 2 WEB-ATTACKS perl execution attempt 2 WEB-PHP php.exe access 2 FTP SITE overflow attempt 2 WEB-IIS webdav file lock attempt 2 WEB-CGI eXtropia webstore access 2 WEB-CGI icat access 2 WEB-MISC /home/www access 2 WEB-CGI eXtropia webstore directory traversal 2 MISC MS Terminal server request (RDP) 1 MS-SQL xp_reg* - registry access 1 WEB-MISC Lotus EditDoc attempt 1 WEB-MISC telnet attempt 1 WEB-IIS ISAPI .idq access 1 WEB-MISC DELETE attempt 1 WEB-CGI formmail access 1 WEB-IIS encoding access 1 WEB-IIS .... access 1 WEB-CGI phf access 1 WEB-CGI Web Shopper shopper.cgi access 1 SCAN myscan 1 WEB-PHP directory.php access 1 WEB-CGI archie access 1 WEB-MISC /.... 1 WEB-MISC jigsaw dos attempt 1 WEB-CGI AlienForm af.cgi access 1 FTP invalid MODE 1 WEB-IIS .asp Transfer-Encoding: chunked 1 WEB-COLDFUSION ?Mode=debug attempt 1 DDOS mstream handler to client 1 DDOS TFN Probe 1 WEB-MISC musicat empower access 1 SQL Server Scan 1 Total Number of Events: 82475 -----Original Message----- From: Ryan Ordway [mailto:ryan () nwgeeks com] Sent: Thursday, January 02, 2003 6:34 PM To: snort-users () lists sourceforge net Subject: [Snort-users] email notification scripts I've recently moved from an alert logging based Snort system to a MySQL based logging Snort system. Previously I had a script that would parse the alert file periodically and email the output to me if certain conditions existed (certain rules had been matched). Now of course, there is no alerts file to parse. Is there a script available online somewhere that will connect to the database and run a query to list all alerts logged in the last x amount of time? I'm trying to write one myself, but not having much luck unfortunately.... maybe something to use as an example? Thanks muchly, Ryan -- ryan () nwgeeks com HELO... my name is root... you have SIGKILLed my father... prepare to vi! Hi! Can you to speak to me the learn for to speak the Unix? ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- email notification scripts Ryan Ordway (Jan 02)
- Snort2html.pl Mike Koponick (Jan 02)
- Re: email notification scripts Edin Dizdarevic (Jan 07)
- <Possible follow-ups>
- RE: email notification scripts larosa, vjay (Jan 03)
- RE: email notification scripts Ryan Ordway (Jan 03)
- RE: email notification scripts larosa, vjay (Jan 03)
- RE: email notification scripts larosa, vjay (Jan 03)
- RE: email notification scripts Mike Koponick (Jan 03)