Re: Alert on new IP in use?

[James Riden <j.riden () massey ac nz>]

Jason Benway <benwaynet () gmail com> writes:

> I would like to see your script.

Usage is:

/usr/sbin/p0f -i eth0 -N -q -U -l | perl p0f-day.pl

with p0f version 2. This script is designed to run for a day and then
quit, as that's when my logs roll...

You will need to change "m/^10\.0\./" to match the networks you care
about - this will watch for stuff in 10.0/16.

Any questions, let me know. (I know it sucks, but I'd rather get RNA
than fix this.)

cheers,
 Jamie

== cut here - p0f-day.pl ==
#!/usr/local/bin/perl
use Socket;

$f=time();

while ($line=<STDIN>)
{
    chomp($line);

    ($ip,$os) = split(m/ - /,$line);

    ($ip,$port) = split(m/:/,$ip);

    ($ip, $hop) = split(m/ /, $ip, 2);

    if ($ip=~m/^10\.0\./) {

        if ($oslist{$ip} eq "") {

            $name  = gethostbyaddr(inet_aton($ip), AF_INET);

            $name =~ s/([^\.]+).*/$1/;

            $oslist{$ip}=$os;
            $oslistname{$ip}=$name;
            print STDERR "$name,$ip,$os\r\n";
        }
    }

    $g=time()-$f;

    if ($g>(24*3600))
    {
        exit(0);
    }
}
== cut here - p0f-day.pl ==
 
-- 
James Riden / j.riden () massey ac nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users