Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Snort-users] Problem using honeysuckle

From: Maetzky, Steffen (Extern) (Steffen.Maetzkygedas.de)
Date: Mon Jul 19 2004 - 05:24:02 CDT


I'm testing honeysuckle to find out how it works because I have no
I have made a nessus scan on localhost to get a .nsr file.
I have moved the print line of honeysuckle.pl into the last if statement
(after $priority++).

If I start honeysuckle with ./honeysuckle.pl .nsr sid-msg.map < log.csv I
get a message like that: no log.csv.

If I create an empty one I can start honeysuckle but after adding some
print-statement for debugging it seems to me that the last function: foreach
my $line (<STDIN>)
Is never entered.

Does anyone know why? Is it because of an empty log.csv?

Thanks in advance,


# honeysuckle - Vulnerability Correlation with snort & nessus
# Copyright (C) 2002 Brian Caswell <bmcsnort.org>
# "Any sufficiently advanced technology is indistinguishable from a simple
# script"
# honeysuckle is an implementation of IDS alert & vulnerabity correlation
# on snort alerts & nessus scan. We modify our priority in attempt to get
# monitor jockies to focus on the really important stuff.
# I don't know about you, but when someone is shooting bullets at me, I
# would like to know they are shooting at me, even if they miss.
# (If you want to be dumb, err... ignore attacks that "you are not
# to" move the print line to be inside of the last if statement)
# This code uses Nessus reports and snort's sig-msg.map to handle mappings
# via CVE maps. We take CSV input of the following format:
# srcip,dstip,priority,event

use strict;

if (ARGV ne 2) {print "Usage : $0 output.nsr sid-msg.map < log.csv\n";

open(NSR, $ARGV[0]) || die "Ack, your NSR isn't there!\n";
open(SIDMAP, $ARGV[1]) || die "Ack, your sig-msg.map isn't there!\n";

my (%vulnerabilities, %sigs);

foreach my $line (<NSR>) {
   if ($line =~
     /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*\;CVE : (\w{3}-\d{4}-\d+)\;/)
      $vulnerabilities{$1}{$2} = 1;

foreach my $line (<SIDMAP>) {
   next if ($line =~ /^\s*\#/);
   my ($sid, $msg, refs) = split (/ \|\| /, $line);
   foreach my $ref (refs) {
      if ($ref =~ /^cve,(.*)$/) {
         $sigs{$msg}{$1} = 1;
         # $sids{$sid}{$1} = 1; # Got sids? try using these...

foreach my $line (<STDIN>) {
   my ($srcip, $dstip, $priority, $event) = split (/,/, $line);
   if ($sigs{$event}) {
      foreach my $cve (%{$sigs{$event}}) {
         if ($vulnerabilities{$srcip}{$cve} ||
$vulnerabilities{$dstip}{$cve}) {
            print "$srcip,$dstip,$priority,$event\n";
   #the print statement is originaly placed here

This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
Snort-users mailing list
Go to this URL to change user options or unsubscribe:
Snort-users list archive: