RE: Re: Snort and Mysql for statistics purposes

["Snort" <Snort () InterCept Net>]

I finished version 1 of mine a while back... I will go back and add more statistics, but I want to build me correlation 
scripts... here is a couple of snippets from my scripts. Pretty much all you are doing is counting rows and setting the 
order of listing to descending, then limiting it to the top 10... so if you want to get the top 10 SRC IP's your script 
can look similar to this:

 

select count(*) AS COUNT,ip_src FROM iphdr GROUP BY ip_src ORDER BY COUNT DESC LIMIT 30

 

in this case I'm getting the Top 30 SRC IP's. you can script that from the command and have it output to a nice little 
html page reading for viewing.

 

Mysql -h serverip -D database -H -B -e "select count(*) AS COUNT,ip_src FROM iphdr GROUP BY ip_src ORDER BY COUNT DESC 
LIMIT 30;"

 

-B tells mysql to run as a batch job

-e tells it to execute this command

-H tells it to produce HTML output

 

With the above, here is aline will get you the Top 30 signatures and output it to a html page

 

mysql -h 127.0.0.1 -D IDS -H -B -e "select count(*) AS COUNT,sig_name from event LEFT JOIN signature ON signature = 
signature.sig_id GROUP BY signature ORDER BY COUNT DESC limit 30;" >> /var/www/html/sig.html

 

 

Thanks,

Michael Brown





  _____  

From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
Muhammad Omar Khan
Posted At: Wednesday, March 09, 2005 11:20 PM
Posted To: Snort
Conversation: [Snort-users] Re: Snort and Mysql for statistics purposes
Subject: [Snort-users] Re: Snort and Mysql for statistics purposes
  

Hi all,

It's my first query to a group, i am intended to make a data analysis interface using PHP and MySql and i am stuck at a 
point i.e how to fetch top 10 records e.g. top 10 source IPs or top 10 Destination ports from mysql database. Can any 
one please help in this regard, any Mysql commands or something...?

Regards

Omar 

> From: sushant () umich edu >To: David Jiménez Domínguez <djdsecurity () gmail com> >CC: snort-users () lists 
> sourceforge net, honeypots () securityfocus com,focus-ids () securityfocus com >Subject: Re: Snort and Mysql for 
> statistics purposes >Date: Wed, 9 Mar 2005 08:53:46 -0500 >MIME-Version: 1.0 >X-Originating-IP: 68.40.48.74 >Received: 
> from [205.206.231.26] ([205.206.231.26]) by mc10-f13.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 9 Mar 2005 
> 06:21:54 -0800 >Received: from no.name.available by [205.206.231.26] via smtpd (for [65.54.166.230] [65.54.166.230]) 
> with ESMTP; Wed, 9 Mar 2005 06:22:02 -0800 >Received: from lists.securityfocus.com (lists.securityfocus.com 
> [205.206.231.19])by outgoing2.securityfocus.com (Postfix) with SMTP id BA446160961for <chit0z () hotmail com>; Wed, 9 
> Mar 2005 07:11:36 -0700 (MST) >Received: (qmail 20335 invoked by alias); 9 Mar 2005 14:37:46 -0000 >Received: (qmail 
> 14396 invoked from network); 9 Mar 2005 14:10:05 -0000 >X-Message-Info: JGTYoYF78jGFFV1qsmGqmdPXbfSdrgjwFGM4X0g561k= 
> > Mailing-List: contact honeypots-help () securityfocus com; run by ezmlm >Precedence: bulk >X-No-Archive: yes 
> > List-Id: <honeypots.list-id.securityfocus.com> >List-Post: <mailto:honeypots () securityfocus com> >List-Help: 
> <mailto:honeypots-help () securityfocus com> >List-Unsubscribe: <mailto:honeypots-unsubscribe () securityfocus com> 
> > List-Subscribe: <mailto:honeypots-subscribe () securityfocus com> >Delivered-To: mailing list honeypots () 
> securityfocus com >Delivered-To: moderator for honeypots () securityfocus com >References: <96ddee4f0503081605765dfb98 
> () mail gmail com> >User-Agent: Internet Messaging Program (IMP) 3.2.7 >X-IMP-Server: 141.211.144.104 
> > X-Originating-User: sushant >X-Spam-Checker-Version: SpamAssassin 3.0.0-r20550 (2004-05-28) on mail.securityfocus.com 
> > X-Spam-Status: No, score=1.3 required=5.0 tests=NO_REAL_NAME,SPF_HELO_FAIL autolearn=no version=3.0.0-r20550 
> > X-Spam-Level: * >Return-Path: honeypots-return-3193-chit0z=hotmail.com () securityfocus com >X-OriginalArrivalTime: 
> 09 Mar 2005 14:21:55.0021 (UTC) FILETIME=[585DB7D0:01C524B3] > >I have used PHP with jpgraph to get real time threat 
> graphs. PHP is very easy to >use with MYSQL and jpgraph is a good graphic tool. >-Sushant. >Quoting David Jiménez 
> Domínguez <djdsecurity () gmail com>: > > > Hi folks! > > > > I need to graph all the traffic in my network (Top 
> ports, Top src_ip, > > Top attacks) each 5 minutes...In the DataServer I have intalled Mysql > > and in the firewall I 
> have installed snort-2.3.0 and I created just 4 > > rules to get all the tcp,udp,icmp and ip traffic in order to graph 
> it > > with perl and rrdtool and post it in a web page.... > > > > Do you think it is the best way to do that??? > > 
> Have your ever done something like that?? What tools do you recommend me?? > > > > Regards > > > > DJ > > 
> -------------------------------------------------- > > > > > > > > 




  _____  

The new, more precise and more powerful MSN Search is here! Take a tour today. 
<http://g.msn.com/8HMAENUK/2743??PS=47575>  

------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & 
candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start 
reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ 
Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users