RE: Perl script that Generates Snort Raw Events

["Kamal Ahmed" <Kamal.Ahmed () esecurity net>]

-----Original Message-----
From: Kamal Ahmed
Sent: Fri 9/24/2004 11:26 AM
To: 'snort-users () lists sourceforge net'
Subject: Perl script that Generates Snort Raw Events
 
Hi,

I would like to know if there is a Perl script that Generates Snort Raw Events, e.g. :

Full Format:

07/16/-2-08:06:26.464649  [**] [1:716:5] TELNET access [**] [Classification: Not Suspicious Traffic] [Priority: 3] 
{TCP} 172.16.112.50:23 -> 135.13.216.191:1026
07/16/-2-08:23:39.630057  [**] [1:716:5] TELNET access [**] [Classification: Not Suspicious Traffic] [Priority: 3] 
{TCP} 172.16.112.50:23 -> 135.13.216.191:1588
07/16/-2-08:34:18.399673  [**] [117:1:1] (spp_portscan2) Portscan detected from 195.73.151.50: 6 targets 6 ports in 19 
seconds [**] {TCP} 195.73.151.50:2111 -> 172.16.113.105:25

Fast Format:

06/01/-2-08:04:50.992467  [**] [117:1:1] (spp_portscan2) Portscan detected from 172.16.114.148: 1 targets 21 ports in 
14 seconds [**] {TCP} 172.16.114.148:20 -> 194.7.248.153:1812
06/01/-2-08:05:07.895030  [**] [1:716:5] TELNET access [**] [Classification: Not Suspicious Traffic] [Priority: 3] 
{TCP} 172.16.112.50:23 -> 135.8.60.182:1941
06/01/-2-08:06:48.768633  [**] [117:1:1] (spp_portscan2) Portscan detected from 197.218.177.69: 1 targets 21 ports in 
12 seconds [**] {TCP} 197.218.177.69:20 -> 172.16.113.204:1306
06/01/-2-08:07:13.845382  [**] [1:716:5] TELNET access [**] [Classification: Not Suspicious Traffic] [Priority: 3] 
{TCP} 172.16.112.50:23 -> 135.8.60.182:2064
06/01/-2-08:16:27.920109  [**] [117:1:1] (spp_portscan2) Portscan detected from 135.8.60.182: 6 targets 6 ports in 5 
seconds [**] {TCP} 135.8.60.182:2120 -> 172.16.114.168:25
06/01/-2-08:21:44.335582  [**] [117:1:1] (spp_portscan2) Portscan detected from 135.13.216.191: 6 targets 7 ports in 6 
seconds [**] {TCP} 135.13.216.191:2186 -> 172.16.114.169:25

As well as Syslog Format ( I do not have any example)


I would appreciate any info/help.

Thanks,

-Kamal.