NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2000-03

Subject: [snort] html output for snort_stat.pl
From: Andrew R. Baker (andrewbuab.edu)
Date: Tue Mar 07 2000 - 11:07:43 CST

Next message: Jerry Shenk: "[snort] need Token Ring help"
Previous message: Martin Roesch: "Re: [snort] Purified snort"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Here is a patch agains snort_stat.pl to provide an option to activate html
output.

-Andrew

--- snort_stat.pl.orig2 Mon Mar 6 20:36:40 2000
+++ snort_stat.pl Mon Mar 6 20:38:35 2000
-6,9 +6,10
# snort_stat.pl is a perl script trying to generate statistical data from every
# day snort log file.
#
-# USAGE: cat <snort_log> | snort_stat.pl -r -a
+# USAGE: cat <snort_log> | snort_stat.pl -r -a -h
# -r: resolve IP address to domain name
# -a: snort alert format
+# -h: produce html output
#
# or put it in the root's crontab file:
#59 10 * * * root cat /var/log/authlog | /etc/snort_stat.pl | sendmail root
-21,13 +22,14
# contributed the DNS resolve and cache
#
# 2000.03.06 - modifications to read snort alert file
-# Andrew R. Baker <andrewbuab.edu>
+# added html output option
+# Andrew R. Baker <andrewbuab.edu>
#
use Getopt::Std; # use Getopt for options
use Socket; # use socket for resolving domain name from IP
%HOSTS = {}; # Hash for IP <-> domain name mapping

-getopts('ra'); # get options in command line
+getopts('rah'); # get options in command line

# process whatever comes in
while (<>) {
-118,24 +120,51
same_host_sig();
same_dest_sig_stat();
attack_distribution();
+print_footer();

# print the header (e.g. for mail)
sub print_head {
- print "Subject: snort daily report\n\n";
+ if($opt_h) {
+ print "<html>\n<head>\n";
+ print "<title>Snort Statistics</title>";
+ print "</head>\n<body>\n";
+ print "<h1>Snort Statistics</h1>\n";
+ } else {
+ print "Subject: snort daily report\n\n";
+ }
}

# print the time of begin and end of the log
sub print_date {
- print "The log begins from: $result[0]->[0] $result[0]->[1]
-$result[0]->[2]:$result[0]->[3]:$result[0]->[4]\n";
- print "The log ends at: $result[$#result]->[0] $result[$#result]->[1]
-$result[$#result]->[2]:$result[$#result]->[3]:$result[$#result]->[4]\n";
+ if($opt_h) {
+ print "<table>\n";
+ print "<tr><td>The log begins at:</td>\n";
+ print "<td>$result[0]->[0] $result[0]->[1] $result[0]->[2]:$result[0]->[3]:$result[0]->[4]</td></tr>\n";
+ print "<tr><td>The log ends at:</td>\n";
+ print "<td>$result[$#result]->[0] $result[$#result]->[1] $result[$#result]->[2]:$result[$#result]->[3]:$result[$#result]->[4]</td></tr>\n";
+ print "</table>\n";
+ print "<hr>\n";
+ } else {
+ print "The log begins from: $result[0]->[0] $result[0]->[1] $result[0]->[2]:$result[0]->[3]:$result[0]->[4]\n";
+ print "The log ends at: $result[$#result]->[0] $result[$#result]->[1] $result[$#result]->[2]:$result[$#result]->[3]:$result[$#result]->[4]\n";
+ }
}

# to see the frequency of the attack from a certain pair of
# host and destination
sub same_attack {
- format SAME_ATTACK_TOP =
+ if($opt_h) {
+ print "<h3>The number of attack from same host to same destination using same method</h3>\n";
+ print "<table>\n";
+ print "<tr><th># of attacks</th><th>from</th><th>to</th><th>with</th</tr>";
+ foreach $k (sort { $s0{$b} <=> $s0{$a} } keys %s0) {
+ _ = split ":",$k;
+ print "<tr><td>$s0{$k}</td><td>$_[1]</td><td>$_[0]</td><td>$_[2]</td></tr>\n"
+ if $s0{$k} >1;
+ }
+ print "</table><hr>\n";
+ } else {
+ format SAME_ATTACK_TOP =


The number of attack from same host to same destination using same method
-144,19 +173,33
  attacks from to with
=========================================================================
.
- $~=SAME_ATTACK_TOP;
- write;
+ $~=SAME_ATTACK_TOP;
+ write;

- foreach $k (sort { $s0{$b} <=> $s0{$a} } keys %s0) {
- _ = split ":",$k;
- printf(" %-2d %-20s %-20s %-20s\n",$s0{$k},$_[1],$_[0],$_[2])
- if $s0{$k} >1;
+ foreach $k (sort { $s0{$b} <=> $s0{$a} } keys %s0) {
+ _ = split ":",$k;
+ printf(" %-2d %-20s %-20s %-20s\n",$s0{$k},$_[1],$_[0],$_[2])
+ if $s0{$k} >1;
+ }
   }
}

# to see the percentage and number of attacks from a host to a destination
sub same_host_dest {
- format SAME_HOST_DEST_TOP =
+ if($opt_h) {
+ print "<h3>Percentage and number of attacks from a host to a destination</h3>\n";
+ print "<table>\n";
+ print "<tr><th>%</th><th># of attacks</th><th>from</th><th>to</th></tr>\n";
+ foreach $k (sort { $s1{$b} <=> $s1{$a} } keys %s1) {
+ _ = split ":",$k;
+ printf("<tr><td>%-2.2f</td><td>%-2d</td><td>%-20s</td><td>%-20s</td><td>\n"
+ ,$s1{$k}/$total*100,$s1{$k},$_[0],$_[1])
+ if $s1{$k} > 1;
+ }
+ print "</table><hr>\n";
+ } else {
+
+ format SAME_HOST_DEST_TOP =


Percentage and number of attacks from a host to a destination
-165,19 +208,32
   % attacks from to
=============================================================
.
- $~ = SAME_HOST_DEST_TOP;
- write;
+ $~ = SAME_HOST_DEST_TOP;
+ write;

- foreach $k (sort { $s1{$b} <=> $s1{$a} } keys %s1) {
- _ = split ":",$k;
- printf("%-2.2f %-2d %-20s %-20s\n",$s1{$k}/$total*100,
- $s1{$k},$_[0],$_[1]) if $s1{$k} > 1;
+ foreach $k (sort { $s1{$b} <=> $s1{$a} } keys %s1) {
+ _ = split ":",$k;
+ printf("%-2.2f %-2d %-20s %-20s\n",$s1{$k}/$total*100,
+ $s1{$k},$_[0],$_[1]) if $s1{$k} > 1;
+ }
   }
}

# to see how many attacks launched from one host
sub same_host_sig {
- format SAME_HOST_SIG_TOP =
+ if ($opt_h) {
+ print "<h3>Percentage and number of attacks from one host to any with same method</h3>\n";
+ print "<table>\n";
+ print "<tr><th>%</th><th># of attacks</th><th>from</th><th>type</th></tr>\n";
+ foreach $k (sort { $s2{$b} <=> $s2{$a} } keys %s2) {
+ _ = split ":",$k;
+ printf("<tr><td>%-2.2f</td><td>%-4d</td><td>%-20s</td><td>%-28s</td><tr>\n",
+ $s2{$k}/$total*100,$s2{$k},$_[1],$_[0]) if $s2{$k} > 1;
+ }
+ print "</table><hr>\n";
+ } else {
+
+ format SAME_HOST_SIG_TOP =


Percentage and number of attacks from one host to any with same method
-186,19 +242,32
   % attacks from type
===================================================================
.
- $~ = SAME_HOST_SIG_TOP;
- write;
+ $~ = SAME_HOST_SIG_TOP;
+ write;

- foreach $k (sort { $s2{$b} <=> $s2{$a} } keys %s2) {
- _ = split ":",$k;
- printf("%-2.2f %-4d %-20s %-28s\n",$s2{$k}/$total*100,
- $s2{$k},$_[1],$_[0]) if $s2{$k} > 1;
+ foreach $k (sort { $s2{$b} <=> $s2{$a} } keys %s2) {
+ _ = split ":",$k;
+ printf("%-2.2f %-4d %-20s %-28s\n",$s2{$k}/$total*100,
+ $s2{$k},$_[1],$_[0]) if $s2{$k} > 1;
+ }
   }
}

# to see how many attacks received by one host
sub same_dest_sig_stat {
- format SAME_DEST_SIG_TOP =
+ if ($opt_h) {
+ print "<h3>Percentage and number of attacks to one certain host</h3>\n";
+ print "<table>\n";
+ print "<tr><th>%</th><th># of attacks</th><th>to</th><th>type</th></tr>\n";
+ foreach $k (sort { $s3{$b} <=> $s3{$a} } keys %s3) {
+ _ = split ":",$k;
+ printf("<tr><td>%-2.2f</td><td>%-4d</td><td>%-25s</td><td>%-28s</td><td>\n",
+ $s3{$k}/$total*100,$s3{$k},$_[1],$_[0]) if $s3{$k} > 1;
+ }
+ print "</table><hr>\n";
+ } else {
+
+ format SAME_DEST_SIG_TOP =


The percentage and number of attacks to one certain host
-207,19 +276,31
   % attacks to type
===================================================================
.
- $~ = SAME_DEST_SIG_TOP;
- write;
+ $~ = SAME_DEST_SIG_TOP;
+ write;

- foreach $k (sort { $s3{$b} <=> $s3{$a} } keys %s3) {
- _ = split ":",$k;
- printf("%-2.2f %-4d %-25s %-28s\n",$s3{$k}/$total*100 ,
- $s3{$k},$_[1],$_[0]) if $s3{$k} > 1;
+ foreach $k (sort { $s3{$b} <=> $s3{$a} } keys %s3) {
+ _ = split ":",$k;
+ printf("%-2.2f %-4d %-25s %-28s\n",$s3{$k}/$total*100 ,
+ $s3{$k},$_[1],$_[0]) if $s3{$k} > 1;
+ }
   }
}

# to see the popularity of one attack method
sub attack_distribution {
- format ATTACK_DISTRIBUTION_TOP =
+ if($opt_h) {
+ print "<h3>The distribution of attack methods</h3>\n";
+ print "<table>\n";
+ print "<tr><th>%</th><th># of attacks</th><th>methods</th></tr>\n";
+ foreach $k (sort { $s4{$b} <=> $s4{$a} } keys %s4) {
+ _ = split ":",$k;
+ printf("<tr><td>%-2.2f</td><td>%-4d</td><td>%-32s</td></tr>\n",
+ $s4{$k}/$total*100,$s4{$k},$_[0]);
+ }
+ print "</table><hr>\n";
+ } else {
+ format ATTACK_DISTRIBUTION_TOP =


The distribution of attack methods
-228,14 +309,24
   % attacks methods
===================================================================
.
- $~ = ATTACK_DISTRIBUTION_TOP;
- write;
-
- foreach $k (sort { $s4{$b} <=> $s4{$a} } keys %s4) {
- _ = split ":",$k;
- printf("%-2.2f %-4d %-32s\n",$s4{$k}/$total*100,$s4{$k},$_[0]);
+ $~ = ATTACK_DISTRIBUTION_TOP;
+ write;
+
+ foreach $k (sort { $s4{$b} <=> $s4{$a} } keys %s4) {
+ _ = split ":",$k;
+ printf("%-2.2f %-4d %-32s\n",$s4{$k}/$total*100,$s4{$k},$_[0]);
+ }
   }
}
+
+# print the footer (needed for html)
+sub print_footer {
+ if($opt_h) {
+ print "</body>\n</html>\n";
+ } else {
+ }
+}
+

#
# resolve host name and cache it

Next message: Jerry Shenk: "[snort] need Token Ring help"
Previous message: Martin Roesch: "Re: [snort] Purified snort"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]