Snort mailing list archives

Re: portscsan.log summary.

From: Phil Wood <cpw () lanl gov>
Date: Sat, 1 Jun 2002 01:45:46 -0600

On Sat, Jun 01, 2002 at 12:23:28PM +1000, Chris Keladis wrote:

Afternoon folks,

I was wondering if anyone has something to crunch a portscan.log file
and produce statistics of portscanning activity?


Attached is a perl script to turn the log into something I can deal with.
Then, a simple awk script to extract a few fields for summarization.

It goes like this.  First a little help:

A little help.

  % scan-msgs -h
  Usage: /data/pw/bin/scan-msgs [
  -M     extract Month and day
  -T     extract Time
  -S     extract Source Address
  -s     extract Source Port
  -D     extract Destinataion Address
  -d     extract Destination Port
  -X     extract Type
  -t <t> set the character to use to separate the data on output
   file(s)]
  
  Default behavior is to NOT print anything!
  %

  % scan-msgs -SsdX -t, < /tmp/scan > /tmp/scan.csv
  % wc -l /tmp/scan.csv
   720326 /tmp/scan.csv

The hostis with the mostis.

  % awk -F, '{print $1","$3","$4}' < /tmp/scan.csv | \
              uniq -c | sort -rn > /tmp/freq
  % wc -l /tmp/freq
      332 /tmp/freq
  % head /tmp/freq
   183117 66.27.122.247,1433,SYN ******S* 
   170329 61.140.188.183,1433,SYN ******S* 
    75244 64.227.176.144,21,SYN ******S* 
    65073 213.73.130.198,21,SYN ******S* 
    62497 149.169.200.13,6112,SYN ******S* 
    53597 62.62.191.76,21,SYN ******S* 
    48620 200.180.209.154,22,SYN ******S* 
    30857 202.178.185.119,515,SYN ******S* 
     9776 148.235.37.135,515,SYN ******S* 
     2090 66.75.219.99,27374,SYN ******S* 
  %


I dont get an alerts file because all my events go into a MySQL
database, so i am only interested in something to crunch portscan.log.

HTML output would be nice if possible.

Just reaching out to see if there is something written already,
otherwise i have a few ideas i'll follow up with.




Thanks,

Chris.

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov

Attachment: scan-msgs
Description:

Current thread:

portscsan.log summary. Chris Keladis (May 31)
- Re: portscsan.log summary. Phil Wood (Jun 01)