NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2000-03

Subject: [snort] New snort tool
From: Andrew R. Baker (andrewbuab.edu)
Date: Mon Mar 06 2000 - 13:35:21 CST

Next message: Martin Roesch: "[snort] Back home...."
Previous message: John Wilson: "Re: [snort] Livelock with "nocase""
Next in thread: Martin Roesch: "Re: [snort] New snort tool"
Reply: Martin Roesch: "Re: [snort] New snort tool"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Attached is a perl script that reads a snort alert file and creates a
sorted html page of the different types of alerts.
Note: this is intended for files created from the "-A fast" option,
if it is desired I can make it read syslog alerts too

#!/usr/bin/perl
#
# Filename: snort-sort
# Author: Andrew R. Baker <andrewbuab.edu>
# Modified: 2000.03.06
# Purpose: this script produces a sorted list of snort alerts
# from a snort alert file
#
# Todo: 1) Allow processing of snort alerts from syslog
# 2) Make html output optional
#
# let me know if you like this and use it -Andrew
#

if($ARGV[0] eq undef)
{
   print STDERR "USAGE: snort-sort <filename>\n";
   exit;
}

open(INFILE,"< $ARGV[0]") || die "Unable to open file $ARGV[0]\n";

print "<html>\n";
print "<head>\n";
print "<title>Sorted Snort Alerts</title>\n";
print "</head>\n";
print "<body>\n";
print "<h1>Sorted Snort Alerts</h1><hr>\n";

while(<INFILE>) {
  chomp();
  # if the line is blank, go to the next one
  if ( $_ eq "" ) { next }
  # is this line an alert message
  unless ( $_ =~ /^\[\*\*\]/ ) {
    print STDERR "Warning, file may be corrupt.\n";
    next
  }
  $a = <INFILE>;
  chomp($a);
  unless ( $a eq "" ) {
    # strip off the [**] from either end.
    s/(\s)*\[\*\*\](\s)*//g;
    push { $alerts{$_} }, $a;
# print "Message: $_\n";
# print "Data : $a\n";
  } else {
    print STDERR "Warning, file may be incomplete\n";
  }
}
close(LOG);

# print out the links to each entry
foreach $key (keys (%alerts)) {
  $anchor = $key;
  $anchor =~ s/ /_/g;
  print "<a href=#$anchor>$key</a><br>\n";
}

foreach $key (keys (%alerts)) {
  $anchor = $key;
  $anchor =~ s/ /_/g;
  print "<hr>\n";
  print "<h3><a name=$anchor>$key</a></h3>\n";
  print "<ul>\n";
  list = {$alerts{$key}};
  $size = list;
  for ( $i = 0 ; $i < $size ; $i++ ) {
    print "<li>$list[$i]</li>\n";
  }
  print "</ul>\n";
}

print "</body></html>\n";

Next message: Martin Roesch: "[snort] Back home...."
Previous message: John Wilson: "Re: [snort] Livelock with "nocase""
Next in thread: Martin Roesch: "Re: [snort] New snort tool"
Reply: Martin Roesch: "Re: [snort] New snort tool"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]