[packages/snort.git] / snort-stat

#!/usr/bin/perl
#
# $Id$
# $Revision$
#
# snort_stat.pl is a perl script trying to generate statistical data from every
# day snort log file.
#
# USAGE: cat <snort_log> | snort_stat.pl
#
# or put it in the root's crontab file:
#59      10      *       *       *       root    cat /var/log/authlog | /etc/snort_stat.pl | sendmail root
#
# $Author$
# Yen-Ming Chen, <chenym+@CMU.EDU>
# $Date$
#
  
# process whatever comes in

while (<>) {
  # For snort log, added by $Author$
  # If this is a snort log
  if ($_ =~ m/^(\w{3})\s+(\d+)\s(\d+)\:(\d+)\:(\d+)\s(\w+)\ssnort:\s
      ([^:|.]+):\s([\d\.]+)[\:]*([\d]*)\s[\-\>]+\s([\d\.]+)[\:]*([\d]*)/ox)
    {
      $month  = $1; $day   = $2;  $hour  = $3; $minute = $4;
      $second = $5; $host  = $6;  $sig   = $7; $saddr  = $8;
      $sport  = $9; $daddr = $10; $dport = $11;
      
      # put those data into a big matrix
      push @result , [$1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11];
      $total++;
  }         
  next;                    
} # end of snort log

# begin statistics

for $i ( 0 .. $#result ) {
  # for the same pair of attacker and victim with same sig
  # to see the attack pattern
  # used in same_attack()
  $s0{"$result[$i]->[7],$result[$i]->[9],$result[$i]->[6]"}++;
  # for the same pair of attacker and victim 
  # to see how many ways are being tried
  # used in same_host_dest()
  $s1{"$result[$i]->[7],$result[$i]->[9]"}++;
  # from same host use same method to attack 
  # to see how many attacks launched from one host
  # used in same_host_sig()
  $s2{"$result[$i]->[6],$result[$i]->[7]"}++;
  # to same victim with same method
  # to see how many attacks received by one host
  # used in same_dest_sig_stat()
  $s3{"$result[$i]->[6],$result[$i]->[9]"}++;
  # same signature
  # to see the popularity of one attack method
  # used in attack_distribution()
  $s4{"$result[$i]->[6]"}++;
}

# begin report

print_head();
print_date();
same_attack();
same_host_dest();
same_host_sig();
same_dest_sig_stat();
attack_distribution();

# print the header (e.g. for mail)
sub print_head {
  print "Subject: snort daily report\n\n";
}

# print the time of begin and end of the log
sub print_date {
  print "The log begins from: $result[0]->[0] $result[0]->[1] $result[0]->[2]:$result[0]->[3]:$result[0]->[4]\n";
  print "The log ends     at: $result[$#result]->[0] $result[$#result]->[1] $result[$#result]->[2]:$result[$#result]->[3]:$result[$#result]->[4]\n";
}

# to see the frequency of the attack from a certain pair of 
# host and destination
sub same_attack {
  format SAME_ATTACK_TOP =
    
    
The number of attack from same host to same destination using same method
=========================================================================
   #  of 
  attacks        from              to                    with
=========================================================================
.
  $~=SAME_ATTACK_TOP;
  write;
  
  foreach $k (sort { $s0{$b} <=> $s0{$a} } keys %s0) { 
    @_ = split ",",$k;
    printf("     %2d     %-15s   %-15s %-32s\n",$s0{$k},$_[0],$_[1],$_[2]) 
      if $s0{$k} >1;
  }
}

# to see the percentage and number of attacks from a host to a destination
sub same_host_dest {
  format SAME_HOST_DEST_TOP =
    
    
Percentage and number of attacks from a host to a destination
====================================================
       #  of 
  %   attacks        from              to             
====================================================
.
  $~ = SAME_HOST_DEST_TOP;
  write;
  
  foreach $k (sort { $s1{$b} <=> $s1{$a} } keys %s1) {
    @_ = split ",",$k;
  printf("%2.2f    %2d      %-16s   %-16s\n",$s1{$k}/$total*100,
	 $s1{$k},$_[0],$_[1]) if $s1{$k} > 1;
  }
}

# to see how many attacks launched from one host
sub same_host_sig {
  format SAME_HOST_SIG_TOP =
    
    
Percentage and number of attacks from one host to any with same method
===================================================================
         #  of 
  %     attacks           from                    type             
===================================================================
.
  $~ = SAME_HOST_SIG_TOP;
  write;
  
  foreach $k (sort { $s2{$b} <=> $s2{$a} } keys %s2) {
    @_ = split ",",$k;
    printf("%2.2f    %4d         %-16s        %-32s\n",$s2{$k}/$total*100,
           $s2{$k},$_[1],$_[0]) if $s2{$k} > 1;
  }
}

# to see how many attacks received by one host
sub same_dest_sig_stat {
  format SAME_DEST_SIG_TOP =
    
    
The percentage and number of attacks to one certain host 
===================================================================
       #  of 
  %   attacks           to                      type             
===================================================================
.
  $~ = SAME_DEST_SIG_TOP;
  write;
  
  foreach $k (sort { $s3{$b} <=> $s3{$a} } keys %s3) {
    @_ = split ",",$k;
    printf("%2.2f   %4d          %-15s   %-32s\n",$s3{$k}/$total*100 ,
           $s3{$k},$_[1],$_[0]) if $s3{$k} > 1;
  }
}

# to see the popularity of one attack method
sub attack_distribution {
  format ATTACK_DISTRIBUTION_TOP =
    
    
The distribution of attack methods
===================================================================
        #  of 
  %    attacks              methods       
===================================================================
.
  $~ = ATTACK_DISTRIBUTION_TOP;
  write;
  
  foreach $k (sort { $s4{$b} <=> $s4{$a} } keys %s4) {
    @_ = split ",",$k;
    printf("%2.2f   %4d           %-32s\n",$s4{$k}/$total*100,
           $s4{$k},$_[0]) if $s4{$k} > 1;
  }
}
Commit	Line	Data
de591fc7	1	#!/usr/bin/perl
	2	#
	3	# $Id$
	4	# $Revision$
	5	#
	6	# snort_stat.pl is a perl script trying to generate statistical data from every
	7	# day snort log file.
	8	#
	9	# USAGE: cat <snort_log> \| snort_stat.pl
	10	#
	11	# or put it in the root's crontab file:
	12	#59 10 * * * root cat /var/log/authlog \| /etc/snort_stat.pl \| sendmail root
	13	#
	14	# $Author$
	15	# Yen-Ming Chen, <chenym+@CMU.EDU>
	16	# $Date$
	17	#
	18
	19	# process whatever comes in
	20
	21	while (<>) {
	22	# For snort log, added by $Author$
	23	# If this is a snort log
	24	if ($_ =~ m/^(\w{3})\s+(\d+)\s(\d+)\:(\d+)\:(\d+)\s(\w+)\ssnort:\s
	25	([^:\|.]+):\s([\d\.]+)[\:]([\d])\s[\-\>]+\s([\d\.]+)[\:]([\d])/ox)
	26	{
	27	$month = $1; $day = $2; $hour = $3; $minute = $4;
	28	$second = $5; $host = $6; $sig = $7; $saddr = $8;
	29	$sport = $9; $daddr = $10; $dport = $11;
	30
	31	# put those data into a big matrix
	32	push @result , [$1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11];
	33	$total++;
	34	}
	35	next;
	36	} # end of snort log
	37
	38	# begin statistics
	39
	40	for $i ( 0 .. $#result ) {
	41	# for the same pair of attacker and victim with same sig
	42	# to see the attack pattern
	43	# used in same_attack()
	44	$s0{"$result[$i]->[7],$result[$i]->[9],$result[$i]->[6]"}++;
	45	# for the same pair of attacker and victim
	46	# to see how many ways are being tried
	47	# used in same_host_dest()
	48	$s1{"$result[$i]->[7],$result[$i]->[9]"}++;
	49	# from same host use same method to attack
	50	# to see how many attacks launched from one host
	51	# used in same_host_sig()
	52	$s2{"$result[$i]->[6],$result[$i]->[7]"}++;
	53	# to same victim with same method
	54	# to see how many attacks received by one host
	55	# used in same_dest_sig_stat()
	56	$s3{"$result[$i]->[6],$result[$i]->[9]"}++;
	57	# same signature
	58	# to see the popularity of one attack method
	59	# used in attack_distribution()
	60	$s4{"$result[$i]->[6]"}++;
	61	}
	62
	63	# begin report
	64
65	print_head();
66	print_date();
67	same_attack();
68	same_host_dest();
69	same_host_sig();
70	same_dest_sig_stat();
71	attack_distribution();
72
73	# print the header (e.g. for mail)
74	sub print_head {
75	print "Subject: snort daily report\n\n";
76	}
77
78	# print the time of begin and end of the log
79	sub print_date {
80	print "The log begins from: $result[0]->[0] $result[0]->[1] $result[0]->[2]:$result[0]->[3]:$result[0]->[4]\n";
81	print "The log ends at: $result[$#result]->[0] $result[$#result]->[1] $result[$#result]->[2]:$result[$#result]->[3]:$result[$#result]->[4]\n";
82	}
83
84	# to see the frequency of the attack from a certain pair of
85	# host and destination
86	sub same_attack {
87	format SAME_ATTACK_TOP =
88
89
90	The number of attack from same host to same destination using same method
91	=========================================================================
92	# of
93	attacks from to with
94	=========================================================================
95	.
96	$~=SAME_ATTACK_TOP;
97	write;
98
99	foreach $k (sort { $s0{$b} <=> $s0{$a} } keys %s0) {
100	@_ = split ",",$k;
101	printf(" %2d %-15s %-15s %-32s\n",$s0{$k},$_[0],$_[1],$_[2])
102	if $s0{$k} >1;
103	}
104	}
105
106	# to see the percentage and number of attacks from a host to a destination
107	sub same_host_dest {
108	format SAME_HOST_DEST_TOP =
109
110
111	Percentage and number of attacks from a host to a destination
112	====================================================
113	# of
114	% attacks from to
115	====================================================
116	.
117	$~ = SAME_HOST_DEST_TOP;
118	write;
119
120	foreach $k (sort { $s1{$b} <=> $s1{$a} } keys %s1) {
121	@_ = split ",",$k;
122	printf("%2.2f %2d %-16s %-16s\n",$s1{$k}/$total*100,
123	$s1{$k},$_[0],$_[1]) if $s1{$k} > 1;
124	}
125	}
126
127	# to see how many attacks launched from one host
128	sub same_host_sig {
129	format SAME_HOST_SIG_TOP =
130
131
132	Percentage and number of attacks from one host to any with same method
133	===================================================================
134	# of
135	% attacks from type
136	===================================================================
137	.
138	$~ = SAME_HOST_SIG_TOP;
139	write;
140
141	foreach $k (sort { $s2{$b} <=> $s2{$a} } keys %s2) {
142	@_ = split ",",$k;
143	printf("%2.2f %4d %-16s %-32s\n",$s2{$k}/$total*100,
144	$s2{$k},$_[1],$_[0]) if $s2{$k} > 1;
145	}
146	}
147
148	# to see how many attacks received by one host
149	sub same_dest_sig_stat {
150	format SAME_DEST_SIG_TOP =
151
152
153	The percentage and number of attacks to one certain host
154	===================================================================
155	# of
156	% attacks to type
157	===================================================================
158	.
159	$~ = SAME_DEST_SIG_TOP;
160	write;
161
162	foreach $k (sort { $s3{$b} <=> $s3{$a} } keys %s3) {
163	@_ = split ",",$k;
164	printf("%2.2f %4d %-15s %-32s\n",$s3{$k}/$total*100 ,
165	$s3{$k},$_[1],$_[0]) if $s3{$k} > 1;
166	}
167	}
168
169	# to see the popularity of one attack method
170	sub attack_distribution {
171	format ATTACK_DISTRIBUTION_TOP =
172
173
174	The distribution of attack methods
175	===================================================================
176	# of
177	% attacks methods
178	===================================================================
179	.
180	$~ = ATTACK_DISTRIBUTION_TOP;
181	write;
182
183	foreach $k (sort { $s4{$b} <=> $s4{$a} } keys %s4) {
184	@_ = split ",",$k;
185	printf("%2.2f %4d %-32s\n",$s4{$k}/$total*100,
186	$s4{$k},$_[0]) if $s4{$k} > 1;
187	}
188	}
189
190
191