Snort mailing list archives
Re: Alert on new IP in use?
From: James Riden <j.riden () massey ac nz>
Date: 04 Aug 2005 15:21:41 +1200
Jason Benway <benwaynet () gmail com> writes:
I would like to see your script.
Usage is: /usr/sbin/p0f -i eth0 -N -q -U -l | perl p0f-day.pl with p0f version 2. This script is designed to run for a day and then quit, as that's when my logs roll... You will need to change "m/^10\.0\./" to match the networks you care about - this will watch for stuff in 10.0/16. Any questions, let me know. (I know it sucks, but I'd rather get RNA than fix this.) cheers, Jamie == cut here - p0f-day.pl == #!/usr/local/bin/perl use Socket; $f=time(); while ($line=<STDIN>) { chomp($line); ($ip,$os) = split(m/ - /,$line); ($ip,$port) = split(m/:/,$ip); ($ip, $hop) = split(m/ /, $ip, 2); if ($ip=~m/^10\.0\./) { if ($oslist{$ip} eq "") { $name = gethostbyaddr(inet_aton($ip), AF_INET); $name =~ s/([^\.]+).*/$1/; $oslist{$ip}=$os; $oslistname{$ip}=$name; print STDERR "$name,$ip,$os\r\n"; } } $g=time()-$f; if ($g>(24*3600)) { exit(0); } } == cut here - p0f-day.pl == -- James Riden / j.riden () massey ac nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert on new IP in use? Rich Adamson (Aug 01)
- Re: Alert on new IP in use? Matt Kettler (Aug 01)
- Re: Alert on new IP in use? Rich Adamson (Aug 01)
- Re: Alert on new IP in use? Matt Kettler (Aug 01)
- Re: Alert on new IP in use? Rich Adamson (Aug 01)
- Re: Alert on new IP in use? James Riden (Aug 01)
- Re: Alert on new IP in use? Jason Benway (Aug 03)
- Re: Alert on new IP in use? James Riden (Aug 03)
- Re: Alert on new IP in use? Jason Benway (Aug 09)
- Re: Alert on new IP in use? Jason Benway (Aug 03)
- Re: Alert on new IP in use? Matt Kettler (Aug 01)
- Re: Alert on new IP in use? Jeff Coppock (Aug 02)
- <Possible follow-ups>
- RE: Alert on new IP in use? Williams Jon (Aug 01)
- Re: Alert on new IP in use? Daniel Cid (Aug 01)
- Re: Alert on new IP in use? Donofrio, Lewis (Aug 04)