[packages/snort.git] / snortlog

#!/usr/bin/perl
# Syslog analysis script orignially written by
# Angelos Karageorgiou <angelos@StockTrade.GR> and
# tweaked by Martin Roesch <roesch@clark.net>

if($ARGV[1] eq undef)
{
   print "USAGE: snortlog <logname> <machinename>\n";
   print "EXAMPLE: snortlog /var/log/messages sentinel\n";
   print "Note: The machine name is just the hostname, not the FQDN!\n";
   exit;
}

$machine = $ARGV[1];

$targetlen=25;
$sourcelen=35;
$protolen=12;

use Socket;


open(LOG,"< $ARGV[0]") || die "No can do";

printf("%15s %-35s %-25s %-25s\n","DATE","WARNING", "FROM", "TO");
print "=" x 100;
print "\n";
while(<LOG>) {
        chomp();
        if ( 
                ( !  /.*snort*/gi )
           ) { next ; }

        $_ =~ s/ $machine snort//gi ;
        $date=substr($_,0,15);
        $rest=substr($_,16,500);


        @fields=split(": ", $rest);
        $text=$fields[0];


        $fields[1] =~ s/ \-\> /-/gi;
        ($source,$dest)=split('-', $fields[1]);


        ($host,$port)=split(':',$source);


        $iaddr = inet_aton($host); # or whatever address
        $name  = gethostbyaddr($iaddr, AF_INET);            
        if ( $name =~ /^$/ ) {
                $name=$host;
        }
        $name = $name . ":" .  $port;

        $skipit=0;

        ($shost,$sport)=split(':',$dest);
        $sport =~ s/ //gi;
        $siaddr = inet_aton($shost); # or whatever address
        $sname  = gethostbyaddr($siaddr, AF_INET) ;            
        if ( $sname =~ /^$/ ) {
                $sname=$shost;
        }
        $sname = $sname . ":" .  $sport;
        printf("%15s %-32s %-30s   %s\n",
                $date, $text,
                $name,$sname);

}
close(LOG);
Commit	Line	Data
5759ab8d	1	#!/usr/bin/perl
	2	# Syslog analysis script orignially written by
	3	# Angelos Karageorgiou <angelos@StockTrade.GR> and
	4	# tweaked by Martin Roesch <roesch@clark.net>
	5
	6	if($ARGV[1] eq undef)
	7	{
	8	print "USAGE: snortlog <logname> <machinename>\n";
	9	print "EXAMPLE: snortlog /var/log/messages sentinel\n";
	10	print "Note: The machine name is just the hostname, not the FQDN!\n";
	11	exit;
	12	}
	13
	14	$machine = $ARGV[1];
	15
	16	$targetlen=25;
	17	$sourcelen=35;
	18	$protolen=12;
	19
	20	use Socket;
	21
	22
	23	open(LOG,"< $ARGV[0]") \|\| die "No can do";
	24
	25	printf("%15s %-35s %-25s %-25s\n","DATE","WARNING", "FROM", "TO");
	26	print "=" x 100;
	27	print "\n";
	28	while(<LOG>) {
	29	chomp();
	30	if (
	31	( ! /.snort/gi )
	32	) { next ; }
	33
	34	$_ =~ s/ $machine snort//gi ;
	35	$date=substr($_,0,15);
	36	$rest=substr($_,16,500);
	37
	38
	39
	40	@fields=split(": ", $rest);
	41	$text=$fields[0];
	42
	43
	44	$fields[1] =~ s/ \-\> /-/gi;
	45	($source,$dest)=split('-', $fields[1]);
	46
	47
	48	($host,$port)=split(':',$source);
	49
	50
	51	$iaddr = inet_aton($host); # or whatever address
	52	$name = gethostbyaddr($iaddr, AF_INET);
	53	if ( $name =~ /^$/ ) {
	54	$name=$host;
	55	}
	56	$name = $name . ":" . $port;
	57
	58	$skipit=0;
	59
	60	($shost,$sport)=split(':',$dest);
	61	$sport =~ s/ //gi;
	62	$siaddr = inet_aton($shost); # or whatever address
	63	$sname = gethostbyaddr($siaddr, AF_INET) ;
	64	if ( $sname =~ /^$/ ) {
65	$sname=$shost;
66	}
67	$sname = $sname . ":" . $sport;
68	printf("%15s %-32s %-30s %s\n",
69	$date, $text,
70	$name,$sname);
71
72	}
73	close(LOG);