#!/usr/bin/perl
#
# $Id$
# $Revision$
#
# snort_stat.pl is a perl script trying to generate statistical data from every
# day snort log file.
#
# USAGE: cat <snort_log> | snort_stat.pl
#
# or put it in the root's crontab file:
#59      10      *       *       *       root    cat /var/log/authlog | /etc/snort_stat.pl | sendmail root
#
# $Author$
# Yen-Ming Chen, <chenym+@CMU.EDU>
# $Date$
#
  
# process whatever comes in

while (<>) {
  # For snort log, added by $Author$
  # If this is a snort log
  if ($_ =~ m/^(\w{3})\s+(\d+)\s(\d+)\:(\d+)\:(\d+)\s(\w+)\ssnort:\s
      ([^:|.]+):\s([\d\.]+)[\:]*([\d]*)\s[\-\>]+\s([\d\.]+)[\:]*([\d]*)/ox)
    {
      $month  = $1; $day   = $2;  $hour  = $3; $minute = $4;
      $second = $5; $host  = $6;  $sig   = $7; $saddr  = $8;
      $sport  = $9; $daddr = $10; $dport = $11;
      
      # put those data into a big matrix
      push @result , [$1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11];
      $total++;
  }         
  next;                    
} # end of snort log

# begin statistics

for $i ( 0 .. $#result ) {
  # for the same pair of attacker and victim with same sig
  # to see the attack pattern
  # used in same_attack()
  $s0{"$result[$i]->[7],$result[$i]->[9],$result[$i]->[6]"}++;
  # for the same pair of attacker and victim 
  # to see how many ways are being tried
  # used in same_host_dest()
  $s1{"$result[$i]->[7],$result[$i]->[9]"}++;
  # from same host use same method to attack 
  # to see how many attacks launched from one host
  # used in same_host_sig()
  $s2{"$result[$i]->[6],$result[$i]->[7]"}++;
  # to same victim with same method
  # to see how many attacks received by one host
  # used in same_dest_sig_stat()
  $s3{"$result[$i]->[6],$result[$i]->[9]"}++;
  # same signature
  # to see the popularity of one attack method
  # used in attack_distribution()
  $s4{"$result[$i]->[6]"}++;
}

# begin report

print_head();
print_date();
same_attack();
same_host_dest();
same_host_sig();
same_dest_sig_stat();
attack_distribution();

# print the header (e.g. for mail)
sub print_head {
  print "Subject: snort daily report\n\n";
}

# print the time of begin and end of the log
sub print_date {
  print "The log begins from: $result[0]->[0] $result[0]->[1] $result[0]->[2]:$result[0]->[3]:$result[0]->[4]\n";
  print "The log ends     at: $result[$#result]->[0] $result[$#result]->[1] $result[$#result]->[2]:$result[$#result]->[3]:$result[$#result]->[4]\n";
}

# to see the frequency of the attack from a certain pair of 
# host and destination
sub same_attack {
  format SAME_ATTACK_TOP =
    
    
The number of attack from same host to same destination using same method
=========================================================================
   #  of 
  attacks        from              to                    with
=========================================================================
.
  $~=SAME_ATTACK_TOP;
  write;
  
  foreach $k (sort { $s0{$b} <=> $s0{$a} } keys %s0) { 
    @_ = split ",",$k;
    printf("     %2d     %-15s   %-15s %-32s\n",$s0{$k},$_[0],$_[1],$_[2]) 
      if $s0{$k} >1;
  }
}

# to see the percentage and number of attacks from a host to a destination
sub same_host_dest {
  format SAME_HOST_DEST_TOP =
    
    
Percentage and number of attacks from a host to a destination
====================================================
       #  of 
  %   attacks        from              to             
====================================================
.
  $~ = SAME_HOST_DEST_TOP;
  write;
  
  foreach $k (sort { $s1{$b} <=> $s1{$a} } keys %s1) {
    @_ = split ",",$k;
  printf("%2.2f    %2d      %-16s   %-16s\n",$s1{$k}/$total*100,
	 $s1{$k},$_[0],$_[1]) if $s1{$k} > 1;
  }
}

# to see how many attacks launched from one host
sub same_host_sig {
  format SAME_HOST_SIG_TOP =
    
    
Percentage and number of attacks from one host to any with same method
===================================================================
         #  of 
  %     attacks           from                    type             
===================================================================
.
  $~ = SAME_HOST_SIG_TOP;
  write;
  
  foreach $k (sort { $s2{$b} <=> $s2{$a} } keys %s2) {
    @_ = split ",",$k;
    printf("%2.2f    %4d         %-16s        %-32s\n",$s2{$k}/$total*100,
           $s2{$k},$_[1],$_[0]) if $s2{$k} > 1;
  }
}

# to see how many attacks received by one host
sub same_dest_sig_stat {
  format SAME_DEST_SIG_TOP =
    
    
The percentage and number of attacks to one certain host 
===================================================================
       #  of 
  %   attacks           to                      type             
===================================================================
.
  $~ = SAME_DEST_SIG_TOP;
  write;
  
  foreach $k (sort { $s3{$b} <=> $s3{$a} } keys %s3) {
    @_ = split ",",$k;
    printf("%2.2f   %4d          %-15s   %-32s\n",$s3{$k}/$total*100 ,
           $s3{$k},$_[1],$_[0]) if $s3{$k} > 1;
  }
}

# to see the popularity of one attack method
sub attack_distribution {
  format ATTACK_DISTRIBUTION_TOP =
    
    
The distribution of attack methods
===================================================================
        #  of 
  %    attacks              methods       
===================================================================
.
  $~ = ATTACK_DISTRIBUTION_TOP;
  write;
  
  foreach $k (sort { $s4{$b} <=> $s4{$a} } keys %s4) {
    @_ = split ",",$k;
    printf("%2.2f   %4d           %-32s\n",$s4{$k}/$total*100,
           $s4{$k},$_[0]) if $s4{$k} > 1;
  }
}