def get_alerts(): s = snortdb.sdb() s.setwhere(range='day', span=7) #s.where_args=[] #s.where='1=1' alerts = s.find(sig='WEB-PHP remote include path') return alerts
def get_alerts(): s=snortdb.sdb() s.setwhere(range='day',span=7) #s.where_args=[] #s.where='1=1' alerts = s.find(sig='WEB-PHP remote include path') return alerts
def get_records(self): rules = self.read_rules() snort=snortdb.sdb() snort.setwhere(range='hour',span=1) snort.limit=None records = [] for rule in rules: records.extend(self.get_records_for_rule(snort, rule)) return records
def get_records(self): rules = self.read_rules() snort = snortdb.sdb() snort.setwhere(range='hour', span=1) snort.limit = None records = [] for rule in rules: records.extend(self.get_records_for_rule(snort, rule)) return records
def findirc(): s=snortdb.sdb() s.setwhere()#range='hour',span=24) s.setlimit() seen = {} for x in s.find(data='JOIN #'): try : line = [l for l in x['data'].splitlines() if 'JOIN' in l and '#' in l][0] except IndexError: continue if ':' in line and '!' in line and '@' in line: continue tup = ( x['ip_src'], x['ip_dst'], x['dport'], line ) if tup in seen: continue seen[tup] = 1 yield tup
#!/usr/bin/env python import commands from snort import snortdb s = snortdb.sdb() s.setwhere() #range='hour',span=24) s.setlimit() def getproxyips(): seen = {} for x in s.find(sig='TUNNEL'): ip = str(x['ip_dst']) port = x['dport'] tup = (ip, port) if tup in seen: continue seen[tup] = 1 yield tup def findproxies(): seen = {} for ip, port in getproxyips(): cmd = "timeout 10 pxytest %s %s" % (ip, port) yield ip, commands.getoutput(cmd) def show(): for ip, out in findproxies():
def setup(self): from snort import snortdb self.sdb = snortdb.sdb() self.sdb.setlimit(100000)
def test_init(self): self.s = snortdb.sdb()
#!/usr/bin/env python import commands from snort import snortdb s=snortdb.sdb() s.setwhere()#range='hour',span=24) s.setlimit() def getproxyips(): seen = {} for x in s.find(sig='TUNNEL'): ip = str(x['ip_dst']) port = x['dport'] tup = (ip, port) if tup in seen: continue seen[tup]=1 yield tup def findproxies(): seen = {} for ip, port in getproxyips(): cmd = "timeout 10 pxytest %s %s" % (ip, port) yield ip, commands.getoutput(cmd) def show(): for ip, out in findproxies(): print ip print out