Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/mrtc0/snorttools

Snort Utility Tools
https://github.com/mrtc0/snorttools

Last synced: 2 months ago
JSON representation

Snort Utility Tools

Awesome Lists containing this project

README 

        
# SnortTools



Snort Utility Tools



---

## u2reader.py



Snort and Suricata unified2 log file reader.



```

usage: u2reader.py [-h] [-g GEN_MAP] [-s SID_MAP] [-c CLASSFICATION]

                   [-p PRIORITY] [-v]

                   logfile



Snort Unified2 Log Parser



positional arguments:

  logfile



optional arguments:

  -h, --help            show this help message and exit

  -g GEN_MAP, --gen-map GEN_MAP

                        Snort gen-msg.map file. Default ./gen-msg.map

  -s SID_MAP, --sid-map SID_MAP

                        Snort sid-msg.map file. Default ./sid-map.map

  -c CLASSFICATION, --classfication CLASSFICATION

                        Snort classification.config file. Default ./classification.config

  -p PRIORITY, --priority PRIORITY

                        Priority

  -v, --verbose         Verbose mode



```



出力フォーマットは以下のようになっています.  

-vオプションを使用しない場合

```

Event ID        Event Time      Source IP:Source Port => Destination IP:Destination Port        Protocol        Priority

```



-vオプションを使用した場合

```

Event ID        Event Time      Source IP:Source Port => Destination IP:Destination Port        Protocol        Priority

Siganature Message      Signature Class Signature Reference(URL)

Classification Name     Description     %s

```



#### Example



```

$ ./u2reader.py -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -c /etc/snort/classification.config samples/snort.unified2

...

10      2015-11-27 18:13:37     192.168.3.35:1034 => 195.2.253.92:80    TCP     1

11      2015-11-27 18:13:37     192.168.3.35:1035 => 66.96.224.213:80   TCP     1

12      2015-11-27 18:13:38     192.168.3.35:1036 => 195.2.253.92:80    TCP     1

13      2015-11-27 18:13:38     192.168.3.35:1036 => 195.2.253.92:80    TCP     1

14      2015-11-27 18:13:38     192.168.3.35:1036 => 195.2.253.92:80    TCP     1

15      2015-11-27 18:13:38     192.168.3.35:1037 => 195.2.253.92:80    TCP     1

16      2015-11-27 18:13:39     192.168.1.101:1037 => 65.32.5.111:53    UDP     3

17      2015-11-27 18:13:43     192.168.10.127:1196 => 192.168.10.101:445       TCP     3

18      2015-11-27 18:13:43     192.168.10.127:1196 => 192.168.10.101:445       TCP     3

19      2015-11-27 18:13:44     192.168.10.128:1495 => 192.168.10.101:445       TCP     3

20      2015-11-27 18:13:44     192.168.10.128:1495 => 192.168.10.101:445       TCP     3

21      2015-11-27 18:13:44     192.168.10.128:1505 => 64.127.109.133:80        TCP     1

22      2015-11-27 18:13:44     192.168.10.128:36012 => 72.20.34.145:6881       UDP     1

23      2015-11-27 18:13:44     192.168.10.128:1536 => 192.168.10.101:445       TCP     3

24      2015-11-27 18:13:44     192.168.10.128:1536 => 192.168.10.101:445       TCP     3

25      2015-11-27 18:13:44     192.168.10.128:1547 => 192.168.10.101:445       TCP     3

...

```



priorityが3より大きいalertを表示するには次のようにします.



```

$ python u2reader.py -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -c /etc/snort/classification.config -p 3 -v samples/snort.unified2

...

28      2015-11-27 18:13:45     192.168.10.126:1158 => 192.168.10.101:445       TCP     3

        GPL NETBIOS SMB-DS IPC$ unicode share access    None    []

        tcp-connection  A TCP connection was detected

39      2015-11-27 18:13:47     192.168.10.129:1104 => 192.168.10.101:445       TCP     3

        GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt  None    ['url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx', 'nessus,12065', 'nessus,12052', 'cve,200

3-0818', 'bugtraq,9635', 'bugtraq,9633']

        tcp-connection  A TCP connection was detected

40      2015-11-27 18:13:47     192.168.10.129:1104 => 192.168.10.101:445       TCP     3

        GPL NETBIOS SMB-DS IPC$ unicode share access    None    []

        tcp-connection  A TCP connection was detected

50      2015-11-27 18:13:49     192.168.10.120:63324 => 192.168.10.102:139      TCP     3

        GPL NETBIOS SMB IPC$ unicode share access       None    []

        tcp-connection  A TCP connection was detected

51      2015-11-27 18:13:49     192.168.10.120:63378 => 192.168.10.102:139      TCP     3

        GPL NETBIOS SMB IPC$ unicode share access       None    []

        tcp-connection  A TCP connection was detected

52      2015-11-27 18:13:49     192.168.10.125:1359 => 192.168.10.101:445       TCP     3

        GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt  None    ['url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx', 'nessus,12065', 'nessus,12052', 'cve,200

3-0818', 'bugtraq,9635', 'bugtraq,9633']

        tcp-connection  A TCP connection was detected

53      2015-11-27 18:13:49     192.168.10.125:1359 => 192.168.10.101:445       TCP     3

        GPL NETBIOS SMB-DS IPC$ unicode share access    None    []

        tcp-connection  A TCP connection was detected

54      2015-11-27 18:13:49     192.168.10.127:1209 => 192.168.10.101:445       TCP     3

        GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt  None    ['url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx', 'nessus,12065', 'nessus,12052', 'cve,200

3-0818', 'bugtraq,9635', 'bugtraq,9633']

        tcp-connection  A TCP connection was detected

...

```



---



## Todo



めっちゃある