]>
Commit | Line | Data |
---|---|---|
5759ab8d | 1 | #!/usr/bin/perl |
2 | # Syslog analysis script orignially written by | |
3 | # Angelos Karageorgiou <angelos@StockTrade.GR> and | |
4 | # tweaked by Martin Roesch <roesch@clark.net> | |
5 | ||
6 | if($ARGV[1] eq undef) | |
7 | { | |
8 | print "USAGE: snortlog <logname> <machinename>\n"; | |
9 | print "EXAMPLE: snortlog /var/log/messages sentinel\n"; | |
10 | print "Note: The machine name is just the hostname, not the FQDN!\n"; | |
11 | exit; | |
12 | } | |
13 | ||
14 | $machine = $ARGV[1]; | |
15 | ||
16 | $targetlen=25; | |
17 | $sourcelen=35; | |
18 | $protolen=12; | |
19 | ||
20 | use Socket; | |
21 | ||
22 | ||
23 | open(LOG,"< $ARGV[0]") || die "No can do"; | |
24 | ||
25 | printf("%15s %-35s %-25s %-25s\n","DATE","WARNING", "FROM", "TO"); | |
26 | print "=" x 100; | |
27 | print "\n"; | |
28 | while(<LOG>) { | |
29 | chomp(); | |
30 | if ( | |
31 | ( ! /.*snort*/gi ) | |
32 | ) { next ; } | |
33 | ||
34 | $_ =~ s/ $machine snort//gi ; | |
35 | $date=substr($_,0,15); | |
36 | $rest=substr($_,16,500); | |
37 | ||
38 | ||
39 | ||
40 | @fields=split(": ", $rest); | |
41 | $text=$fields[0]; | |
42 | ||
43 | ||
44 | $fields[1] =~ s/ \-\> /-/gi; | |
45 | ($source,$dest)=split('-', $fields[1]); | |
46 | ||
47 | ||
48 | ($host,$port)=split(':',$source); | |
49 | ||
50 | ||
51 | $iaddr = inet_aton($host); # or whatever address | |
52 | $name = gethostbyaddr($iaddr, AF_INET); | |
53 | if ( $name =~ /^$/ ) { | |
54 | $name=$host; | |
55 | } | |
56 | $name = $name . ":" . $port; | |
57 | ||
58 | $skipit=0; | |
59 | ||
60 | ($shost,$sport)=split(':',$dest); | |
61 | $sport =~ s/ //gi; | |
62 | $siaddr = inet_aton($shost); # or whatever address | |
63 | $sname = gethostbyaddr($siaddr, AF_INET) ; | |
64 | if ( $sname =~ /^$/ ) { | |
65 | $sname=$shost; | |
66 | } | |
67 | $sname = $sname . ":" . $sport; | |
68 | printf("%15s %-32s %-30s %s\n", | |
69 | $date, $text, | |
70 | $name,$sname); | |
71 | ||
72 | } | |
73 | close(LOG); |