ELF`44 (4444/usr/lib/ld.so.1 !#$&'()./01234789:<=?@ABCDHIKLMNPRSTWXY[^_`abcfghiklnprtuvwxz{}~  "%*+,-56;>EFGJOQUVZ\]dejmoqsy|4  }(X P p"*H ( 7=d @>(d I US@ ^0@ gmXw}%|  5xd $"44 dX>x 'l,Op 6 CjH PPUu8 ]8dF j5 s[0 H8 + @x 4Xt  8( $| l DD  :d % 4Q0 @pG+8 PTf [A d0i| l'0\ s v{7<  8\ } 8` L C`H 3@< ' H`T  Al  ! &S /&`D 5V A,E3D LSx(8 XBh ]b"H hr|x~tx 6 H$a`D &h `  T zx [T  8  @d" "r  *g$ 5@P ;) A G8!O!HX S<]>< f ov\(%@  aD 3` :(l @; G  C4 $( T8 0|; l ` L## *J 2K :/0 get0_endTitleDisplayDirfilesIpStr__environ_lock_getmaxx_getmaxyClearScrollfreecontClassStrcursxdatecachecursyishexdigitxbuffget_get_exit_frame_monitor_DYNAMIC__xargc__1cG__CrunMdo_exit_code6F_v___1cH__CimplKcplus_init6F_v__PROCEDURE_LINKAGE_TABLE_undefinedexitinitscrnscrmergecont_ex_registerDisplayAlertcmapDisplaybufsizclearfgetline_GLOBAL_OFFSET_TABLE_sidcmpNullFunctstodatebufdumpicanon__1cH__CimplKcplus_fini6F_v__environiton0aAllocStrdirsplayclosebuflen___Argvusleepnattr_edatamainfputst_ex_deregisterexplodecontmallocdateinitscrSidStrbufndumpattrsditon0xsfreadfput__1cG__CrunVdo_exit_code_in_range6Fpv1_v_moveRemovesiblanklinecontmaskcmprefresh__fsr_init_value_lib_version_put1itoaalertmodecmp_dumpmovepathtreestcatalertcmpisdigReadLogFiledir_putstbufferMenudumpopenstlentcsetattrrmaxxrmaxyrminxrminypathbufgetstsortstackScreenInititoxopendir_startResortCursorResortReadSidMaptcgetattrwriteisdigitreaddirsfrbuildpathcolmask_exitstcmpCExpandPrintAlert_inituatoi_finienvironsgrattributegetmaxyxclosedir_etextyearcache__xargvito0xsplayScreenLabelsnoicanonputst__cg92_used_getyxcleartailmaxxflushbufmaxyMergezeroput1monthsfree_movemonthcacheatexitstrcatisspacestlcpyNewSortcontcmpTsStrlibc.so.1SUNW_0.9SUNWprivate_1.1libc.so.1@ =(J NqS8+ELLXdtp:|nm^C3\0ohp $ @"b4D"b("aD, @'8 $8+`-` `?-)!<- =--% # @ch@c "!H !L@c@"@"@b@b`'L'H'DH'''LDH @'܀ DH LD @ %H``$`H'`H  H   H$ 'H`[H&H'H IEH BLD @ &H ``$`H'`H  H   H$ 'H`H&`H`'H` lH  H   H$ '&&`@'`` '`@쀧@'`` &`@H &`H &H$ H$ H㿘'L'H'DD@H L@@@H$ LD`  @㿀'L'H'D@aʐ D"   !!h@ @ H@  !!@ @| s`DLH$ LDH  @ ]H ''`'` N'`LD  H  '`H '`H $ H   H $ H  '`H '`H $ H   H $ ` `  '`H$ @㿐'P'L'H'DHSD -L@@H$ @BLD @ :@ @  DL@H  " H  P@H@` @H$ @` `  '`@㿐'H'DD H D *H$H  @D H  'H " " 'DH 'HHH@㿘'DD  @㿀'H'DDN D 'DJ HJ / :`D* / :`H 'HD `'DHJ /`:`D* /`:`H 'HD `'D'㿘'DDO``O`D'@㿀'H'DHJ  'HDJ DJ  `'DHJ  'HJ H" 'HD `"㿀'L'H'DL@DH`"` O`.: ..: `' L.O``O``H'@" 㿐'DzD @_@@  !!@o @l D@@㿘'D `PD J@/@ D: 'D'``"* '㿘'DOG 0 9OG A F OG a f 㿘'DOG 0 9 㿐'DDJ    /`@O `㿘'H'DDH  'HH @ 'h'DD 5!!T 4)!P > . X` &L-@`> .7 '`` %ĨM/'` `5/p'H'DD'oH,H`H$"a 0,O ,' '``!"ĒԔ '㿐'DDL%/`/`DM$ 0 M@'D/||D#? O4 А%ؐ˒D#? B4 ÐD#?c 64 D- l'㿠 b"` "` "`  "` "` "` "` "`  "`$ "`( "`, "`0"!X'"!\ "!`㿐'X'T'P'L'H'DD'P"  H"  L" T" DX@ "X'"!\ "!` !`H" !\P" X'@xL#@ OP :` @ ?"@ .:``d. X`d"@ !:`a. Xa"@ @x # """ aX "aX  ""xLc'@ X "XP` "`P "!\xL#@H * "@**@* @*@*@@ -#a`!!X%H +`**@* @*@*@'@ @$ '`# $`H * **@* @*@*@@Tw@ L" w@ P@ '@wnT" wnPn'@w`<X" w``f @4@H@^ #4.@T'@D  @TD㿠'DD #c|%TD` Ɩ@D @SD㿐'H'D !/`#bHDH@, `p'P'L'H'DDP@]'PD`$`H @@S. @S. ( &@ F&.@` `'`/ & / &  ' / `.&@` DR@Sn@ @@`` ` DR@SV@D!"@@P'P@SK@@SIP?c@'L'H'DD@  !#@  @@S7@  !#X  L  !#xג Ԓ  @S@   !#Ē  ! k 뀤@ L  @R@-!T<@ !#  @Rΐ !O?Ԁ@ L  @Rא@@R  !T=7@L  @RȐ@! k 뀤@*ؔ @R@؀` 8@R@ !@?@R@`  ! [ X @R @  ! ,J G @Rt   ! H8 5 #?c4$Tؐ@ @@@Rf@  &@RS@@RQ"H!R#JHn  ! d  v@R?@   !   㿘'H'DD HH@ D? ` ?x'H'DD@  !   @@Qޔ   !    쀧(@O@ @Q   ! n k @@QL`L` #    `@QO '`@hL   |@Q,`&@hL  |`@h L  |@L `@hL  |`@h L  |@L p`O h@Q6O `' @Q*O O O M`@hL   |  , /$@Pސ 'ܢ $` !!   `$ ֒H#Vc0Ɣ@  !!(  H@  !!@u r @P@   !!\a ^ 㿠aQ"$b EH'X'T'P'L'H'D!$"< $"<!!| hD bL \H P q P G@#a@Tߐ` X3!" $ BRԐ` k/`#bH !^ !/`#bH !/`#bH !/`#bH !/`#bH !/`#bH !/`#bH !z/`#bH !o!k`` !" $ ܐ#a\@!"@ U`!"@ !L!"@ !C!"@ ":!"@ @"1!"@!"(!"@ "!$"< $"< " j$"<'H'DD''H'V0R(/XX#bӒ@MDΐ@O<   ` `!!d|&D&HW`  㿐'H'DH+b@HD ِ@H֒`HD ϐ@H̒`,HD Ő@H’`LHD @H`hHD @H`|HD @H`HD @D $$֐H`H@@N@D $$$ŐH`H|@@N@D_ ,Hs`HD ,l@Hi`Hf@@N@DI 0H]`HD 0V@HS`HP@@N@HK`HD 4D@HAa HD{ 6:@H7a$HDq 80@H-a4HD <&@H#a@㿈'X'T'P'L'H'DIJ<7JD  !   T@@PQ1L'L͐`T@L P9     L@   D  $" " P@   .@  @M`T@J P \|     @  D s ,P@e큐   @  @M`T@PƒJ  dB#`p<@D  464``T@J P |     @  D  0P@ %   @  @MO`T@PjJ  #`@D : 6ؐ``T`@J @     Y@  D  XP.@̐   ?@  ` T@PL   D   `T@PJ @ o D  g c`T@PӒJ  O D  G C`T`@J! 3    Đ@  D  P@8   @  @Lb`x'L'H'DD  @L 'LL@$ 'LLDj LD `@@0 ,DR    ` }DD ;@  DRJM`D! D@@ <` 8J 2(+ DRR8ꗐ JŒ@  DRD  %`@D  @`@j㿀'X'T'P'L'H'DD  @PL$H@'HT?'TT@@'TH&H$ 'HT@`'TH&H H 'HT $ 'TH T@$ 'TH H 'HT $ 'TH G !$"<T`@ !$"< <H@'D 9@ DR`   `   LX\!$"< 㿘'H'DH$ 'H !$"<eH pfH!0g]Hޒ!p^THՒ!UKH̒!LBHÒ!C9Hﺒ":0Hﱒ",1'H晴"h(H"H" D , !^"``#$ |$ ("!$"<FxTxxxxxyy,yPytyy㿈'X'T'P'L'H'DD H PY  PTXD H \H "D$ D H P9   PR@D$ H$ d@H "D$ D D$ 'DH` $`'HD P  D L$$ ,D$ 'DH L@P  H@'HP  D L$$ 㿠!#:4$PT㿈'L'H'DDH   L,, 4  HRR8+` L4` @@ HRR8  HRT@@H  DH T @@` L,, 4  `  H㿘 !"$$ @%$@`$ @!"$$  !$"<$"<㿀'L'H'D  LLH  ʐ@j#fLDH  ֒#V㿈'X'T'P'L'H'DHV!," D @2D @@!" D@c" +!?"@`D @HL? /H ,?" H!" '?c'H'DD #c|%HD` @D @H0H;@H,1#@    !?H?炒@H '@Hc@H!@?1DH@@G@G@x'X'T'P'L'H'DD  @PL$$ X< < \$ H@ 'H@@$$ 'HH 'HTH@$$ 'TT?'TT@'TTH@$$ 'T?`@.! L?`@. X@'@솓, `H@@GD 悐@T` @ !$"< 0 ,D#Hb9@ D5@ !$"   =`@.! L=`@. X@%@, " !$"<`@''H'D''' ''!$"p!$"'#b,%4@ 쐒!$"H!4"@D  셒\ H  ~d@F H`'D `'! 'D H '! 'ظ  ! X U @F H F  ! E B @Fl H bpH܀ @D =!@Fn!',#`@H `Q `'k'    @'@FD  !!  ܀ !"pՒ4@'܀ @$' $ '$'$' 쀤  '耤 $ '쀤 @$ '%pJ` M", $' Ғ !<Rp 榐F!!LB"p  ?’ 걒 3 0" / ꦒ ( 8&|$ ꜒ !$"<s$"< &$ #\Y'?  @Ec 2?' c܀ 'pĔ` M", $^' L !p  !!꼐"p  ?< + ꭐ 0"    ꢐ 8$  !$"<$"<&$ K#\@^@ !< <  @$@'$ 'N 耤` 쀤 $ '$`'耤 7  ܘ Y+   '$'' '@@#?c 4@@4@!"@"'쀧` @` H$$ < < \$ !", $$ < < \@'!", & @!", %$ &` "$$`$'$$ ''  'v@ O$$ < < \$ !!", & @!",  '!", & @$$ < < \$ 9 @0'@#?b 4@4@!"@$"'쀥ܘ 6`@ `  $ '$`-Ȕ'$'' a@ X@  O@`!4"@"@" '쀧` ܘϚ,@@ $$'쀤 'Im  ܘ a  ܘ U R '$'F' C '$'7' '@#?c 4@4@!"@J"'쀥 '@#?c 4@4@!"@/"'`yn' ` C#b@B*'e@B@B] 'xx$ b x" !"V0z#b, a@'"pd'`'V@@  ܘ   ܘ ۚ|  ܘ Ϛp  '$'a' q '$'R' '@#?c 4@4@!"@x"7'쀥 '@#?c 4@4@!"@]"'쀥 '@ #?cߢ 4@ 4@!"@B"'` @@` `  ` ` @`ܘ +U` ~@Jv` ''̺` $'''º` $'''`  $$'쀤 'r`  ` `/C 1!@@|` @rP.A! $ , !h!5  6$A , !h!cW $P , !h"[WJapi $c , !h"m $p , !h" q`4`|XLpXLp㿠@??@@㿠@? @8??@@400<0H0T0`0l0x0000000000000c @  m o%oo|4, ooqdD$ e[1;60HOut of Memory in si.e[1;60HConsistency Error in Tree Head in si.e[1;60HAllocStr Out of Memory..../ ::.Not SuspiciousUnknownMaybe Bad?Att. InfoLeakInfoLeakBig InfoLeakAtt. DoSDoSAtt. User PrivGainFail User PrivGainUser PrivGainAtt. Admin PrivGainAdmin PrivGaine[?25le[?25he[e[6ne[;He[0;me[0me[2Je[1;60HInvalid compare mode!e[1;60HOut of Memory. (10)OUCH!!!!e[1;60HBad Filename.e[1;60HUnable to open file.e[1;60HBad Header Store.e[1;60HUnable to read file magic.e[1;60HThis is a Snort 1.x Log file not an Alert File. Cannot Parse In Lite Version. e[1;60HCorrupt datafile.e[1;60HOut of Memory. (1)e[1;60HOut of Memory. (1a)e[1;60HOut of Memory. (2)e[1;60HError on file close.e[1;60HBad sid-msg.map Filename.e[1;60HUnable to open sid-msg.map file.e[1;60HOut of Memory. (3)e[1;60HOut of Memory. (4)e[1;60HDuplicate SID!e[1;60HOut of Memory. (5)e[1;60HError on file close.#: of () Files: SID-Map: Output: Sort:EVNTTSDIPSIPSPDPSIDCLSPRI-Clps:SIP SP DIP DP SID CLS PRI Count Timestamp Source IP : Port Dest. IP : Port Alert Event SID Prio ClassificationSID e[1;60HOut of Memory! (SidStr) Event Generator: Event Signature ID: Event Signature Revision: Event Classification: Event Priority: Event ID: Event Reference: Event Reference Time: Alert Timestamp: Source IP: - Destination IP: - Source Port: Destination Port: Protocol: Flags: e[1;60HAttempt to Display NULL Element! **.*.*.*: * : *.*.*.* : * : * * * * * Functions: (C)ollapse (E)xpand (S)ort (D)el (R)emove (M)erge (W)rite (Q)uitSort: (T)ime (S)ource (D)est. (A)lert (P)rio. (C)lass (E)ventSort Source: (I)p (P)ortSort Destination: (I)p (P)ortRemove adjacent: (S)ource (D)estination (A)lertRemove adjacent Source: (I)p (P)ortRemove adjacent Destination: (I)p (P)ortCollapse: (S)ource (D)estination (A)lert (P)riority (C)lassCollapse Source: (I)p (P)ortCollapse Destination: (I)p (P)ortWrite Feature Disabled in CEREBUS-LITE --press any key--CEREBUS-1.3L-dragos ruiu C E R E B U S - L I T E Full screen text based unified alert file browser and correlator (1.3 Lite Demo Version: Unlicensed) (c)2002 by Dragos Ruiu(dr@dursec.com) Shareware Licence: Distribution in unmodified form permitted. Download at http://dragos.com/cerebus/ Free for Individual Non-Commercial Use. Free for 14 day commercial trial. Contact for licensing and download instructions for full version. Instructions: cerebus [/path/to/sid-msg.map] [outfile] Use a wide terminal window to see all the fields. Make sure that your snort.conf file has enabled the unified alert output via: output alert_unified: snort.alert.filename If you do not have a map file the following script will generate one: cat *rules | grep "msg:" | sed -e 's/^.*msg:\"//,s/\"\;"sid:/%/,s/\;".*$/ || /' | awk -F'%' '{ print $2 $1 }' > sid-msg.map Browse and filter the alerts with CEREBUS. Note that sort requests are cumulative and remove adjacent alert records work from the cursor down. --press any key to continue-- Aardvarks Kick Ass Additional Records loaded... -- press any key to continue --File not loaded... -- press any key to continue --//.CEREBUS - Unified alert browser/correlator V1.3L (c) 2002 dragos ruiu Usage: [/path/to/sid-msg.map] [outfile] ./sid-msg.map./cerebus.oute[1;60HNo SidMsg.map file! (default ./SidMsg.map)e[1;60HNo Alerts!File: Alerts: e[1;60HCannot write to output file! MERGE FILES - Files Loaded (press enter to load, q to quit) Path: File to load: MERGE FILES - Files Loaded (press enter to load, q to quit) Path: File to load: ec0123456789ABCDEF+0Undefined@(#)stdlib.h 1.47 99/11/03 SMI@(#)stdlib_iso.h 1.2 99/12/21 SMI@(#)feature_tests.h 1.18 99/07/26 SMI@(#)isa_defs.h 1.20 99/05/04 SMI@(#)ioctl.h 1.9 92/07/14 SMI@(#)termios.h 1.6 92/07/14 SMI@(#)termios.h 1.38 98/02/20 SMI@(#)ttydev.h 1.7 92/07/14 SMI@(#)time.h 2.66 01/01/17 SMI@(#)types.h 1.66 00/02/14 SMI@(#)machtypes.h 1.13 99/05/04 SMI@(#)int_types.h 1.6 97/08/20 SMI@(#)select.h 1.16 98/04/27 SMI@(#)time.h 1.39 99/08/10 SMI@(#)time_iso.h 1.1 99/08/09 SMI@(#)time_impl.h 1.5 99/10/05 SMI@(#)fcntl.h 1.14 97/12/05 SMI@(#)fcntl.h 1.45 98/07/17 SMI@(#)dirent.h 1.29 99/03/11 SMI@(#)dirent.h 1.32 99/05/04 SMIacomp: Sun WorkShop 6 update 2 C 5.3 2001/05/15ld: Software Generation Utilities - Solaris-ELF (4.0).interp.hash.dynsym.dynstr.SUNW_version.rela.ex_shared.rela.cpp_finidata.rela.data.rela.plt.text.init.fini.exception_ranges.rodata.got.plt.dynamic.ex_shared.cpp_finidata.data.data1.bss.symtab.strtab.stab.index.comment.shstrtab.stab.indexstr   "mo0-B440 =Bdd  PBpp  [B|| e``k@@Pqw 44(  Hhh