OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Snort-users] Problem using honeysuckle

From: Maetzky, Steffen (Extern) (Steffen.Maetzkygedas.de)
Date: Mon Jul 19 2004 - 05:24:02 CDT


Hi,

I'm testing honeysuckle to find out how it works because I have no
perl-knowledge.
I have made a nessus scan on localhost to get a .nsr file.
I have moved the print line of honeysuckle.pl into the last if statement
(after $priority++).

If I start honeysuckle with ./honeysuckle.pl .nsr sid-msg.map < log.csv I
get a message like that: no log.csv.

If I create an empty one I can start honeysuckle but after adding some
print-statement for debugging it seems to me that the last function: foreach
my $line (<STDIN>)
Is never entered.

Does anyone know why? Is it because of an empty log.csv?

Thanks in advance,

Steffen

#!/usr/bin/perl
# honeysuckle - Vulnerability Correlation with snort & nessus
#
# Copyright (C) 2002 Brian Caswell <bmcsnort.org>
#
# "Any sufficiently advanced technology is indistinguishable from a simple
perl
# script"
#
# honeysuckle is an implementation of IDS alert & vulnerabity correlation
based
# on snort alerts & nessus scan. We modify our priority in attempt to get
our
# monitor jockies to focus on the really important stuff.
#
# I don't know about you, but when someone is shooting bullets at me, I
# would like to know they are shooting at me, even if they miss.
#
# (If you want to be dumb, err... ignore attacks that "you are not
vulnerable
# to" move the print line to be inside of the last if statement)
#
# This code uses Nessus reports and snort's sig-msg.map to handle mappings
# via CVE maps. We take CSV input of the following format:
# srcip,dstip,priority,event
#

use strict;

if (ARGV ne 2) {print "Usage : $0 output.nsr sid-msg.map < log.csv\n";
exit;}

open(NSR, $ARGV[0]) || die "Ack, your NSR isn't there!\n";
open(SIDMAP, $ARGV[1]) || die "Ack, your sig-msg.map isn't there!\n";

my (%vulnerabilities, %sigs);

foreach my $line (<NSR>) {
   if ($line =~
     /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*\;CVE : (\w{3}-\d{4}-\d+)\;/)
   {
      $vulnerabilities{$1}{$2} = 1;
   }
}

foreach my $line (<SIDMAP>) {
   next if ($line =~ /^\s*\#/);
   my ($sid, $msg, refs) = split (/ \|\| /, $line);
   foreach my $ref (refs) {
      if ($ref =~ /^cve,(.*)$/) {
         $sigs{$msg}{$1} = 1;
         # $sids{$sid}{$1} = 1; # Got sids? try using these...
      }
   }
}

foreach my $line (<STDIN>) {
   chomp($line);
   my ($srcip, $dstip, $priority, $event) = split (/,/, $line);
   if ($sigs{$event}) {
      foreach my $cve (%{$sigs{$event}}) {
         if ($vulnerabilities{$srcip}{$cve} ||
$vulnerabilities{$dstip}{$cve}) {
            $priority++;
            print "$srcip,$dstip,$priority,$event\n";
         }
      }
   }
   #the print statement is originaly placed here
}

-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users