2 # Syslog analysis script orignially written by
3 # Angelos Karageorgiou <angelos@StockTrade.GR> and
4 # tweaked by Martin Roesch <roesch@clark.net>
8 print "USAGE: snortlog <logname> <machinename>\n";
9 print "EXAMPLE: snortlog /var/log/messages sentinel\n";
10 print "Note: The machine name is just the hostname, not the FQDN!\n";
23 open(LOG,"< $ARGV[0]") || die "No can do";
25 printf("%15s %-35s %-25s %-25s\n","DATE","WARNING", "FROM", "TO");
34 $_ =~ s/ $machine snort//gi ;
35 $date=substr($_,0,15);
36 $rest=substr($_,16,500);
40 @fields=split(": ", $rest);
44 $fields[1] =~ s/ \-\> /-/gi;
45 ($source,$dest)=split('-', $fields[1]);
48 ($host,$port)=split(':',$source);
51 $iaddr = inet_aton($host); # or whatever address
52 $name = gethostbyaddr($iaddr, AF_INET);
53 if ( $name =~ /^$/ ) {
56 $name = $name . ":" . $port;
60 ($shost,$sport)=split(':',$dest);
62 $siaddr = inet_aton($shost); # or whatever address
63 $sname = gethostbyaddr($siaddr, AF_INET) ;
64 if ( $sname =~ /^$/ ) {
67 $sname = $sname . ":" . $sport;
68 printf("%15s %-32s %-30s %s\n",