]>
Commit | Line | Data |
---|---|---|
de591fc7 | 1 | #!/usr/bin/perl |
2 | # | |
3 | # $Id$ | |
4 | # $Revision$ | |
5 | # | |
6 | # snort_stat.pl is a perl script trying to generate statistical data from every | |
7 | # day snort log file. | |
8 | # | |
9 | # USAGE: cat <snort_log> | snort_stat.pl | |
10 | # | |
11 | # or put it in the root's crontab file: | |
12 | #59 10 * * * root cat /var/log/authlog | /etc/snort_stat.pl | sendmail root | |
13 | # | |
14 | # $Author$ | |
15 | # Yen-Ming Chen, <chenym+@CMU.EDU> | |
16 | # $Date$ | |
17 | # | |
18 | ||
19 | # process whatever comes in | |
20 | ||
21 | while (<>) { | |
22 | # For snort log, added by $Author$ | |
23 | # If this is a snort log | |
24 | if ($_ =~ m/^(\w{3})\s+(\d+)\s(\d+)\:(\d+)\:(\d+)\s(\w+)\ssnort:\s | |
25 | ([^:|.]+):\s([\d\.]+)[\:]*([\d]*)\s[\-\>]+\s([\d\.]+)[\:]*([\d]*)/ox) | |
26 | { | |
27 | $month = $1; $day = $2; $hour = $3; $minute = $4; | |
28 | $second = $5; $host = $6; $sig = $7; $saddr = $8; | |
29 | $sport = $9; $daddr = $10; $dport = $11; | |
30 | ||
31 | # put those data into a big matrix | |
32 | push @result , [$1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11]; | |
33 | $total++; | |
34 | } | |
35 | next; | |
36 | } # end of snort log | |
37 | ||
38 | # begin statistics | |
39 | ||
40 | for $i ( 0 .. $#result ) { | |
41 | # for the same pair of attacker and victim with same sig | |
42 | # to see the attack pattern | |
43 | # used in same_attack() | |
44 | $s0{"$result[$i]->[7],$result[$i]->[9],$result[$i]->[6]"}++; | |
45 | # for the same pair of attacker and victim | |
46 | # to see how many ways are being tried | |
47 | # used in same_host_dest() | |
48 | $s1{"$result[$i]->[7],$result[$i]->[9]"}++; | |
49 | # from same host use same method to attack | |
50 | # to see how many attacks launched from one host | |
51 | # used in same_host_sig() | |
52 | $s2{"$result[$i]->[6],$result[$i]->[7]"}++; | |
53 | # to same victim with same method | |
54 | # to see how many attacks received by one host | |
55 | # used in same_dest_sig_stat() | |
56 | $s3{"$result[$i]->[6],$result[$i]->[9]"}++; | |
57 | # same signature | |
58 | # to see the popularity of one attack method | |
59 | # used in attack_distribution() | |
60 | $s4{"$result[$i]->[6]"}++; | |
61 | } | |
62 | ||
63 | # begin report | |
64 | ||
65 | print_head(); | |
66 | print_date(); | |
67 | same_attack(); | |
68 | same_host_dest(); | |
69 | same_host_sig(); | |
70 | same_dest_sig_stat(); | |
71 | attack_distribution(); | |
72 | ||
73 | # print the header (e.g. for mail) | |
74 | sub print_head { | |
75 | print "Subject: snort daily report\n\n"; | |
76 | } | |
77 | ||
78 | # print the time of begin and end of the log | |
79 | sub print_date { | |
80 | print "The log begins from: $result[0]->[0] $result[0]->[1] $result[0]->[2]:$result[0]->[3]:$result[0]->[4]\n"; | |
81 | print "The log ends at: $result[$#result]->[0] $result[$#result]->[1] $result[$#result]->[2]:$result[$#result]->[3]:$result[$#result]->[4]\n"; | |
82 | } | |
83 | ||
84 | # to see the frequency of the attack from a certain pair of | |
85 | # host and destination | |
86 | sub same_attack { | |
87 | format SAME_ATTACK_TOP = | |
88 | ||
89 | ||
90 | The number of attack from same host to same destination using same method | |
91 | ========================================================================= | |
92 | # of | |
93 | attacks from to with | |
94 | ========================================================================= | |
95 | . | |
96 | $~=SAME_ATTACK_TOP; | |
97 | write; | |
98 | ||
99 | foreach $k (sort { $s0{$b} <=> $s0{$a} } keys %s0) { | |
100 | @_ = split ",",$k; | |
101 | printf(" %2d %-15s %-15s %-32s\n",$s0{$k},$_[0],$_[1],$_[2]) | |
102 | if $s0{$k} >1; | |
103 | } | |
104 | } | |
105 | ||
106 | # to see the percentage and number of attacks from a host to a destination | |
107 | sub same_host_dest { | |
108 | format SAME_HOST_DEST_TOP = | |
109 | ||
110 | ||
111 | Percentage and number of attacks from a host to a destination | |
112 | ==================================================== | |
113 | # of | |
114 | % attacks from to | |
115 | ==================================================== | |
116 | . | |
117 | $~ = SAME_HOST_DEST_TOP; | |
118 | write; | |
119 | ||
120 | foreach $k (sort { $s1{$b} <=> $s1{$a} } keys %s1) { | |
121 | @_ = split ",",$k; | |
122 | printf("%2.2f %2d %-16s %-16s\n",$s1{$k}/$total*100, | |
123 | $s1{$k},$_[0],$_[1]) if $s1{$k} > 1; | |
124 | } | |
125 | } | |
126 | ||
127 | # to see how many attacks launched from one host | |
128 | sub same_host_sig { | |
129 | format SAME_HOST_SIG_TOP = | |
130 | ||
131 | ||
132 | Percentage and number of attacks from one host to any with same method | |
133 | =================================================================== | |
134 | # of | |
135 | % attacks from type | |
136 | =================================================================== | |
137 | . | |
138 | $~ = SAME_HOST_SIG_TOP; | |
139 | write; | |
140 | ||
141 | foreach $k (sort { $s2{$b} <=> $s2{$a} } keys %s2) { | |
142 | @_ = split ",",$k; | |
143 | printf("%2.2f %4d %-16s %-32s\n",$s2{$k}/$total*100, | |
144 | $s2{$k},$_[1],$_[0]) if $s2{$k} > 1; | |
145 | } | |
146 | } | |
147 | ||
148 | # to see how many attacks received by one host | |
149 | sub same_dest_sig_stat { | |
150 | format SAME_DEST_SIG_TOP = | |
151 | ||
152 | ||
153 | The percentage and number of attacks to one certain host | |
154 | =================================================================== | |
155 | # of | |
156 | % attacks to type | |
157 | =================================================================== | |
158 | . | |
159 | $~ = SAME_DEST_SIG_TOP; | |
160 | write; | |
161 | ||
162 | foreach $k (sort { $s3{$b} <=> $s3{$a} } keys %s3) { | |
163 | @_ = split ",",$k; | |
164 | printf("%2.2f %4d %-15s %-32s\n",$s3{$k}/$total*100 , | |
165 | $s3{$k},$_[1],$_[0]) if $s3{$k} > 1; | |
166 | } | |
167 | } | |
168 | ||
169 | # to see the popularity of one attack method | |
170 | sub attack_distribution { | |
171 | format ATTACK_DISTRIBUTION_TOP = | |
172 | ||
173 | ||
174 | The distribution of attack methods | |
175 | =================================================================== | |
176 | # of | |
177 | % attacks methods | |
178 | =================================================================== | |
179 | . | |
180 | $~ = ATTACK_DISTRIBUTION_TOP; | |
181 | write; | |
182 | ||
183 | foreach $k (sort { $s4{$b} <=> $s4{$a} } keys %s4) { | |
184 | @_ = split ",",$k; | |
185 | printf("%2.2f %4d %-32s\n",$s4{$k}/$total*100, | |
186 | $s4{$k},$_[0]) if $s4{$k} > 1; | |
187 | } | |
188 | } | |
189 | ||
190 | ||
191 |