###
###	the Snort NIDS and it's messages
### $Id: snort.txt,v 1.1 2002/03/09 18:26:23 emf Exp $
###

# startup
'.* snort: WARNING: OpenPcap\(\) device (.*) network lookup:.*' - - - 0 ignore
'.* snort: Snort initialization completed successfully, Snort running' - - - 0 ignore

# runtime
'^.{15,} (.*) snort: spp_portscan: PORTSCAN DETECTED from (.*) \(.*' - - - 0 
        open "$3" - 10000 10800 3600 
        report "/usr/local/bin/surfmailer -r root -S \"security incident from $3\"" "$3"

'^.{15,} (.*) snort: spp_portscan: PORTSCAN DETECTED to port (.*) from (.*) \(.*' - - - 0 
        open "$4" - 10000 10800 3600 
        report "/usr/local/bin/surfmailer -r root -S \"security incident from $4\"" "$4"

' portscan:.{15,} (.*):(.*) -> (.*):(.*) .*' - - - 0 
        open "$2" - 10000 10800 3600 
        report "/usr/local/bin/surfmailer -r root -S \"security incident from $2\"" "$2"

#
#	We don't need to care about these, because they will be caught by
#	the IP context.
'.* snort: spp_portscan: portscan status from .*' - - - 0 ignore
'.* snort: spp_portscan: End of portscan from (.*): TOTAL.*' - - - 0 ignore
'.* snort: spp_anomsensor: Threshold adjusted' - - - 0 ignore

# shutdown
'^.{15,} (.*) snort: Snort received signal (.*), exiting' - - - 0 
	pipe "/usr/local/bin/surfmailer -r root -S \"snort got signal $3 on $2\""

# alerts
'INFO id check returned root \{TCP\} (.*):.* -> (.*):.*' - - - 0 CONTINUE
	pipe "/usr/local/bin/surfmailer -r root-pager -S \"Uh-oh. $3 maybe just owned $2.\""

'CodeRed .* \{TCP\} (.*):.* ->' - - - 0
  open "$2" - 10000 86400 86400
  report "/usr/local/bin/surfmailer -r root -S \"security incident from $2 \(code red attempt\)\"" "$2"

'\{TCP\} (.*):.* ->' - - - 0
  open "$2" - 10000 10800 1800
  report "/usr/local/bin/surfmailer -r root -S \"security incident from $2\"" "$2"

'\{UDP\} (.*):.* ->' - - - 0
  open "$2" - 10000 10800 1800
  report "/usr/local/bin/surfmailer -r root -S \"security incident from $2\"" "$2"



