6 # snort_stat.pl is a perl script trying to generate statistical data from every
9 # USAGE: cat <snort_log> | snort_stat.pl
11 # or put it in the root's crontab file:
12 #59 10 * * * root cat /var/log/authlog | /etc/snort_stat.pl | sendmail root
15 # Yen-Ming Chen, <chenym+@CMU.EDU>
19 # process whatever comes in
22 # For snort log, added by $Author$
23 # If this is a snort log
24 if ($_ =~ m/^(\w{3})\s+(\d+)\s(\d+)\:(\d+)\:(\d+)\s(\w+)\ssnort:\s
25 ([^:|.]+):\s([\d\.]+)[\:]*([\d]*)\s[\-\>]+\s([\d\.]+)[\:]*([\d]*)/ox)
27 $month = $1; $day = $2; $hour = $3; $minute = $4;
28 $second = $5; $host = $6; $sig = $7; $saddr = $8;
29 $sport = $9; $daddr = $10; $dport = $11;
31 # put those data into a big matrix
32 push @result , [$1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11];
40 for $i ( 0 .. $#result ) {
41 # for the same pair of attacker and victim with same sig
42 # to see the attack pattern
43 # used in same_attack()
44 $s0{"$result[$i]->[7],$result[$i]->[9],$result[$i]->[6]"}++;
45 # for the same pair of attacker and victim
46 # to see how many ways are being tried
47 # used in same_host_dest()
48 $s1{"$result[$i]->[7],$result[$i]->[9]"}++;
49 # from same host use same method to attack
50 # to see how many attacks launched from one host
51 # used in same_host_sig()
52 $s2{"$result[$i]->[6],$result[$i]->[7]"}++;
53 # to same victim with same method
54 # to see how many attacks received by one host
55 # used in same_dest_sig_stat()
56 $s3{"$result[$i]->[6],$result[$i]->[9]"}++;
58 # to see the popularity of one attack method
59 # used in attack_distribution()
60 $s4{"$result[$i]->[6]"}++;
71 attack_distribution();
73 # print the header (e.g. for mail)
75 print "Subject: snort daily report\n\n";
78 # print the time of begin and end of the log
80 print "The log begins from: $result[0]->[0] $result[0]->[1] $result[0]->[2]:$result[0]->[3]:$result[0]->[4]\n";
81 print "The log ends at: $result[$#result]->[0] $result[$#result]->[1] $result[$#result]->[2]:$result[$#result]->[3]:$result[$#result]->[4]\n";
84 # to see the frequency of the attack from a certain pair of
85 # host and destination
87 format SAME_ATTACK_TOP =
90 The number of attack from same host to same destination using same method
91 =========================================================================
94 =========================================================================
99 foreach $k (sort { $s0{$b} <=> $s0{$a} } keys %s0) {
101 printf(" %2d %-15s %-15s %-32s\n",$s0{$k},$_[0],$_[1],$_[2])
106 # to see the percentage and number of attacks from a host to a destination
108 format SAME_HOST_DEST_TOP =
111 Percentage and number of attacks from a host to a destination
112 ====================================================
115 ====================================================
117 $~ = SAME_HOST_DEST_TOP;
120 foreach $k (sort { $s1{$b} <=> $s1{$a} } keys %s1) {
122 printf("%2.2f %2d %-16s %-16s\n",$s1{$k}/$total*100,
123 $s1{$k},$_[0],$_[1]) if $s1{$k} > 1;
127 # to see how many attacks launched from one host
129 format SAME_HOST_SIG_TOP =
132 Percentage and number of attacks from one host to any with same method
133 ===================================================================
136 ===================================================================
138 $~ = SAME_HOST_SIG_TOP;
141 foreach $k (sort { $s2{$b} <=> $s2{$a} } keys %s2) {
143 printf("%2.2f %4d %-16s %-32s\n",$s2{$k}/$total*100,
144 $s2{$k},$_[1],$_[0]) if $s2{$k} > 1;
148 # to see how many attacks received by one host
149 sub same_dest_sig_stat {
150 format SAME_DEST_SIG_TOP =
153 The percentage and number of attacks to one certain host
154 ===================================================================
157 ===================================================================
159 $~ = SAME_DEST_SIG_TOP;
162 foreach $k (sort { $s3{$b} <=> $s3{$a} } keys %s3) {
164 printf("%2.2f %4d %-15s %-32s\n",$s3{$k}/$total*100 ,
165 $s3{$k},$_[1],$_[0]) if $s3{$k} > 1;
169 # to see the popularity of one attack method
170 sub attack_distribution {
171 format ATTACK_DISTRIBUTION_TOP =
174 The distribution of attack methods
175 ===================================================================
178 ===================================================================
180 $~ = ATTACK_DISTRIBUTION_TOP;
183 foreach $k (sort { $s4{$b} <=> $s4{$a} } keys %s4) {
185 printf("%2.2f %4d %-32s\n",$s4{$k}/$total*100,
186 $s4{$k},$_[0]) if $s4{$k} > 1;