#!/usr/bin/perl # # $Id: snort_stat.pl,v 1.3 2000/11/17 05:28:20 jpickel Exp $ # $Revision: 1.3 $ # # snort_stat.pl is a perl script trying to generate statistical data from every # day snort log file. # # USAGE: cat <snort_log> | snort_stat.pl -r -f -a -h -p -n # -r: resolve IP address to domain name # -f: use fixed rather than variable width columns # -a: snort alert format # -h: produce html output # -p: portscan log (in syslog now) # -n: anomsensor log (in syslog) # # or put it in the root's crontab file: #59 10 * * * root cat /var/log/authlog | /etc/snort_stat.pl | sendmail root # # $Author: jpickel $ # Yen-Ming Chen, <chenym@ALUMNI.CMU.EDU> # $Date: 2000/11/17 05:28:20 $ # # Angelos Karageorgiou, <angelos@unix.gr> # contributed the DNS resolve and cache # # Andrew R. Baker <andrewb@uab.edu> # 2000.03.06 - modifications to read snort alert file # - added html output option # # Paul Bobby, <paul.bobby@lmco.com> # 03/13/2000 added scan for portscan detection in logs # # Ned Patterson, <jpatter@alum.mit.edu> # 4/26/2000 - correctly parse "last message repeated" syslog messages # - variable column widths for text output # # Ryan Jian-Da Li, <jdli@freebsd.csie.nctu.edu.tw> # 6/07/2000 - fix the problem of portscan() (add my %s5) # - fix the problem of signature matching # for the case ' IDS154 - PING CyberKit 2.2 Windows' # - enhance portscan(), add port counts # use Getopt::Std; # use Getopt for options use Socket; # use socket for resolving domain name from IP use vars qw($opt_r $opt_f $opt_a $opt_h $opt_p $opt_n); %HOSTS = (); # Hash for IP <-> domain name mapping getopts('rfahnp') || die "Could not getopts"; # get options in command line $saddr_len = 15; $daddr_len = 15; $timeout = 3; # for name resolver # process whatever comes in while (<>) { if ($opt_a) { # process data from a snort alert file chomp(); # if the line is blank, go to the next one if ( $_ eq "" ) { next; } # is this line an alert message unless ( $_ =~ /^\[\*\*\]/ ) { # comment out this line to avoid some warning # print STDERR "Warning, file may be corrupt.\n"; next; } $a = <>; chomp($a); unless ( $a eq "" ) { # strip off the [**] from either end. s/(\s)*\[\*\*\](\s)*//g; } else { print STDERR "Warning, file may be incomplete\n"; next; } $sig = $_; $a =~ m/^(\d+)\/(\d+)\-(\d+)\:(\d+)\:(\d+)\.(\d+)\s ([\d\.]+)[\:]*([\d]*)\s[\-\>]+\s([\d\.]+)[\:]*([\d]*)/ox; $month = $1; $day = $2; $hour = $3; $minute = $4; $second = $5; $saddr = $7; $host = "localhost"; $sport = $9; $daddr = $9; $dport = $10; } else { # If this is a snort log in syslog if ($_ =~ m/^(\w{3}) \s+ (\d+) \s (\d+) \: (\d+) \: (\d+)\s ([\w+\.]*)\s[\w+\/\[\d+\]]*:\s ([^:]+):\s ([\d\.]+)[\:]? ([\d]*)\s[\-\>]+\s ([\d\.]+)[\:]? ([\d]*)/ox) { $month = $1; $day = $2; $hour = $3; $minute = $4; $second = $5; $host = $6; $sig = $7; $saddr = $8; $sport = $9; $daddr = $10; $dport = $11; } elsif ($_ =~ m/^(\w{3})\s+(\d+)\s(\d+)\:(\d+)\:(\d+)\s ([\w+\.]*)\s[\w+\/\[\d+\]]*: \sspp_portscan\:\sPORTSCAN\sDETECTED\sfrom\s([\d\.]+)/ox) { if ($opt_r) { $psaddr = resolve($7); } else { $psaddr = ($7); } push @res , [$psaddr]; push @rescnt , [$psaddr,$8]; # Not used elsewhere. Prob not needed. (Need to find out!) # $tot++; next; } elsif ($_ =~ m/^(\w{3})\s+(\d+)\s(\d+)\:(\d+)\:(\d+)\s ([\w+\.]*)\s[\w+\/\[\d+\]]*\: \sspp_anomsensor\:\sAnomaly\sthreshold\sexceeded\:\s([\d\.]+)\: \s([\d\.]+)\:([\d]+)\s[\-\>]+\s([\d\.]+)\:([\d]+)/ox) { if ($opt_r) { $asaddr = resolve($8); $adaddr = resolve($10); } else { $asaddr = ($8); $adaddr = ($10); } $threshold = $7; $sport = $9; $dport = $11; push @anores , [$threshold,$asaddr,$sport,$adaddr,$dport]; next; } # If a snort message has been repeated several times elsif ($lastwassnort && $_ =~ m/last message repeated (\d+) times/) { # put the data in the matrix again for each repeat $repeats = $1; while ($repeats) { push @result, $result[-1]; $repeats--; } next; } else { $lastwassnort = 0; next; } # Message not related to snort } # if the resolve switch is on if ($opt_r) { $saddr = resolve($saddr); unless ($opt_f) { if ( length($saddr) > $saddr_len ) { $saddr_len = length($saddr); } } $daddr = resolve($daddr); unless ($opt_f) { if ( length($daddr) > $daddr_len ) { $daddr_len = length($daddr); } } } # put those data into a big matrix push @result ,[$month,$day,$hour,$minute,$second, $host,$sig,$saddr,$sport,$daddr,$dport]; $lastwassnort = 1; } # end of snort log # begin statistics # I should've used $#result + 1 as $total in the first version! :( $total = $#result + 1; for $i ( 0 .. $#result ) { # for the same pair of attacker and victim with same sig # to see the attack pattern # used in same_attack() $s0{"$result[$i]->[9]:$result[$i]->[7]:$result[$i]->[6]"}++; # for the same pair of attacker and victim # to see how many ways are being tried # used in same_host_dest() $s1{"$result[$i]->[7]:$result[$i]->[9]"}++; # from same host use same method to attack # to see how many attacks launched from one host # used in same_host_sig() $s2{"$result[$i]->[6]:$result[$i]->[7]"}++; # to same victim with same method # to see how many attacks received by one host # used in same_dest_sig_stat() $s3{"$result[$i]->[6]:$result[$i]->[9]"}++; # same signature # to see the popularity of one attack method # used in attack_distribution() $s4{"$result[$i]->[6]"}++; # source ip $s5{"$result[$i]->[7]"}++; # destination ip $s6{"$result[$i]->[9]"}++; } # begin report print_head(); print_summary(); same_attack(); same_host_dest(); same_host_sig(); same_dest_sig_stat(); attack_distribution(); if ($opt_p) { portscan(); } if ($opt_n) { anomsensor(); } print_footer(); # print the header (e.g. for mail) sub print_head { if($opt_h) { print "<html>\n<head>\n"; print "<title>Snort Statistics</title>"; print "</head>\n<body>\n"; print "<h1>Snort Statistics</h1>\n"; } else { print "Subject: snort daily report\n\n"; } } # print the time of begin and end of the log sub print_summary { if($opt_h) { print "<table>\n"; print "<tr><th>The log begins at:</th>\n"; print "<td>$result[0]->[0] $result[0]->[1] $result[0]->[2]:$result[0]->[3]:$result[0]->[4]</td></tr>\n"; print "<tr><th>The log ends at:</th>\n"; print "<td>$result[$#result]->[0] $result[$#result]->[1] $result[$#result]->[2]:$result[$#result]->[3]:$result[$#result]->[4]</td></tr>\n"; print "<tr><th>Total events:</th><td> $total</td></tr>\n"; print "<tr><th>Signatures recorded:</th><td> ". keys(%s4) ."</td></tr>\n"; print "<tr><th>Source IP recorded:</th><td> ". keys(%s5) ."</td></tr>\n"; print "<tr><th>Destination IP recorded:</th><td> ". keys(%s6) ."</td></tr>\n"; print "<tr><th>Anomaly detected:</th><td> ". eval '$#anores + 1'."</td></tr>\n"; print "</table>\n"; print "<hr>\n"; } else { print "The log begins from: $result[0]->[0] $result[0]->[1] $result[0]->[2]:$result[0]->[3]:$result[0]->[4]\n"; print "The log ends at: $result[$#result]->[0] $result[$#result]->[1] $result[$#result]->[2]:$result[$#result]->[3]:$result[$#result]->[4]\n"; print "Total events: $total\n"; print "Signatures recorded: ". keys(%s4) ."\n"; print "Source IP recorded: ". keys(%s5) ."\n"; print "Destination IP recorded: ". keys(%s6) ."\n"; print "Anomaly recorded: ". eval '$#anores +1'."\n"; } } # to see the frequency of the attack from a certain pair of # host and destination sub same_attack { if($opt_h) { print "<h3>The number of attack from same host to same destination using same method</h3>\n"; print "<table>\n"; print "<tr><th># of attacks</th><th>from</th><th>to</th><th>with</th</tr>"; foreach $k (sort { $s0{$b} <=> $s0{$a} } keys %s0) { @_ = split ":",$k; print "<tr><td>$s0{$k}</td><td>$_[1]</td><td>$_[0]</td> <td>$_[2]</td></tr>\n" if $s0{$k} >1; } print "</table><hr>\n"; } else { section_header("The number of attacks from same host to same destination using same method\n", "asdm"); foreach $k (sort { $s0{$b} <=> $s0{$a} } keys %s0) { @_ = split ":",$k; printf(" %-2d %-${saddr_len}s %-${daddr_len}s %-20s\n", $s0{$k},$_[1],$_[0],$_[2]) } } } # to see the percentage and number of attacks from a host to a destination sub same_host_dest { if($opt_h) { print "<h3>Percentage and number of attacks from a host to a destination</h3>\n"; print "<table>\n"; print "<tr><th>%</th><th># of attacks</th><th>from</th><th>to</th></tr>\n"; foreach $k (sort { $s1{$b} <=> $s1{$a} } keys %s1) { @_ = split ":",$k; printf("<tr><td>%-2.2f</td><td>%-2d</td><td>%-20s</td><td>%-20s</td> <td>\n",$s1{$k}/$total*100,$s1{$k},$_[0],$_[1]) if $s1{$k} > 1; } print "</table><hr>\n"; } else { section_header("Percentage and number of attacks from a host to a destination\n", "pasd"); foreach $k (sort { $s1{$b} <=> $s1{$a} } keys %s1) { @_ = split ":",$k; printf("%5.2f %-2d %-${saddr_len}s %-${daddr_len}s\n", $s1{$k}/$total*100, $s1{$k},$_[0],$_[1]) } } } # to see how many attacks launched from one host sub same_host_sig { if ($opt_h) { print "<h3>Percentage and number of attacks from one host to any with same method</h3>\n"; print "<table>\n"; print "<tr><th>%</th><th># of attacks</th><th>from</th><th>type</th></tr>\n"; foreach $k (sort { $s2{$b} <=> $s2{$a} } keys %s2) { @_ = split ":",$k; printf("<tr><td>%-2.2f</td><td>%-4d</td><td>%-20s</td><td>%-28s</td> </tr>\n",$s2{$k}/$total*100,$s2{$k},$_[1],$_[0]) if $s2{$k} > 1; } print "</table><hr>\n"; } else { section_header("Percentage and number of attacks from one host to any with same method\n", "pasm"); foreach $k (sort { $s2{$b} <=> $s2{$a} } keys %s2) { @_ = split ":",$k; printf("%5.2f %-4d %-${saddr_len}s %-28s\n", $s2{$k}/$total*100, $s2{$k},$_[1],$_[0]) } } } # to see how many attacks received by one host (destination correlated) sub same_dest_sig_stat { if ($opt_h) { print "<h3>Percentage and number of attacks to one certain host</h3>\n"; print "<table>\n"; print "<tr><th>%</th><th># of attacks</th><th>to</th><th>type</th></tr>\n"; foreach $k (sort { $s3{$b} <=> $s3{$a} } keys %s3) { @_ = split ":",$k; printf("<tr><td>%-2.2f</td><td>%-4d</td><td>%-25s</td><td>%-28s</td><td>\n",$s3{$k}/$total*100,$s3{$k},$_[1],$_[0]) if $s3{$k} > 1; } print "</table><hr>\n"; } else { section_header("The percentage and number of attacks to one certain host \n", "padm"); foreach $k (sort { $s3{$b} <=> $s3{$a} } keys %s3) { @_ = split ":",$k; printf("%5.2f %-4d %-${daddr_len}s %-28s\n",$s3{$k}/$total*100 , $s3{$k},$_[1],$_[0]); } } } # to see the popularity of one attack method sub attack_distribution { if($opt_h) { print "<h3>The distribution of attack methods</h3>\n"; print "<table>\n"; print "<tr><th>%</th><th># of attacks</th><th>methods</th></tr>\n"; foreach $k (sort { $s4{$b} <=> $s4{$a} } keys %s4) { @_ = split ":",$k; printf("<tr><td>%-2.2f</td><td>%-4d</td><td>%-32s</td></tr>\n", $s4{$k}/$total*100,$s4{$k},$_[0]); } print "</table><hr>\n"; } else { section_header("The distribution of attack methods\n", "pam"); foreach $k (sort { $s4{$b} <=> $s4{$a} } keys %s4) { @_ = split ":",$k; printf("%5.2f %-4d %-32s\n", $s4{$k}/$total*100,$s4{$k},$_[0]); } } } # portscan (if enable -p switch) # Please use '-A fast' to generate the log, so portscan() can process it. # contributed by: Paul Bobby, <paul.bobby@lmco.com> # Jian-Da Li, <jdli@freebsd.csie.nctu.edu.tw> sub portscan { my (%s5, %s6); # to see how many times a host performs portscan # used in portscan() for $i (0 .. $#res) { $s5{"$res[$i]->[0]"}++; } for $i (0 .. $#rescnt) { $s6{"$rescnt[$i]->[0]"} += $rescnt[$i]->[1]; } if($opt_h) { print "<h3> Portscans performed to/from HOME_NET</h3>\n"; print "<table>\n"; print "<tr><th>Scan Attempts</th><th>Source Address</th><th>Number of Ports </th></tr>\n"; foreach $k (sort { $s5{$b} <=> $s5{$a} } keys %s5) { if ($s6{$k}) { print "<tr><td>$s5{$k}</td><td>$k</td><td>$s6{$k}</td></tr>\n"; } else { print "<tr><td>$s5{$k}</td><td>$k</td><td>ERR</td></tr>\n"; } } print "</table>\n"; } else { format PORTSCAN_TOP = Portscans performed to/from HOME_NET ===================================== Times Source Address ===================================== . $~ = PORTSCAN_TOP; write; foreach $k (sort { $s5{$b} <=> $s5{$a} } keys %s5) { printf(" %-4d %-25s\n", $s5{$k},$k); } } } # anomsensor (if enable -n switch) # This function process data generated by spp_anomsensor plug-in (SPADE) # By Yen-Ming Chen <chenym@alumni.cmu.edu> sub anomsensor { my (%s7); # to see how many times a host performs portscan # used in anomsensor() for $i (0 .. $#anores) { $s7{"$anores[$i]->[1],$anores[$i]->[3],$anores[$i]->[4]"}++; } if($opt_h) { print "<h3> Anomaly detected by SPADE</h3>\n"; print "<table>\n"; print "<tr><th>Scan Attempts</th><th>Source Address</th><th>Destination Address</th><th>Destination Ports</th></tr>\n"; foreach $k (sort { $s7{$b} <=> $s7{$a} } keys %s7) { @_ = split(/,/,$k); print "<tr><td>$s7{$k}</td><td>$_[0]</td><td>$_[1]</td><td>$_[2]</td></tr>\n"; } print "</table>\n"; } else { format ANOMSENSOR_TOP = Anomaly detected by SPADE ============================================================================ Attempts Source Address Destinatoin Address Destination Ports ============================================================================ . $~ = ANOMSENSOR_TOP; write; foreach $k (sort { $s7{$b} <=> $s7{$a} } keys %s7) { @_ = split(/,/,$k); printf(" %-4d %-25s %-25s %-6d\n", $s7{$k},$_[0],$_[1],$_[2]); } } } # print the footer (needed for html) sub print_footer { if($opt_h) { print "Generated by <a href=\"http://xanadu.incident.org/snort/\">snort_stat.pl</a>\n"; print "</body>\n</html>\n"; } } # # resolve host name and cache it # contributed by: Angelos Karageorgiou, <angelos@stocktrade.gr> # edited by: $Author: jpickel $ # sub resolve { local ($mname, $miaddr, $mhost = shift); $miaddr = inet_aton($mhost); if (!$HOSTS{$mhost}) { $mname =""; eval { local $SIG{ALRM} = sub {die "alarm\n" }; # NB \n required alarm $timeout; $mname = gethostbyaddr($miaddr, AF_INET); alarm 0; }; die if $@ && $@ ne "alarm\n"; # propagate errors if ($mname =~ /^$/) { $mname = $mhost; } $HOSTS{$mhost} = $mname; } return $HOSTS{$mhost}; } # Use a title and a short code to write the section headers # This is used in place of a FORMAT as this allows variable column widths # contributed by: Ned Patterson, <jpatter@alum.mit.edu> # sub section_header { my $linelength; $title = shift; $_ = shift; print("\n\n$title"); # constant for method length for now $linelength = (/p/?7:0) + (/a/?10:0) + (/s/?$saddr_len:0) + (/d/?$daddr_len+3:0) + (/m/?20:0); print( '=' x $linelength, "\n"); # print("Line length:\t$linelength\t\tHeaders:\t$_\n"); print(" " x 7, " # of\n") if (/pa.*/); print(" # of\n attacks ") if (s/^a([sdm]*)/$1/); print(" % ") if (s/^p([asdm]*)/$1/); print("attacks ") if (s/^a([sdm]*)/$1/); printf("%-${saddr_len}s ", "from") if (s/^s([dm]*)/$1/); printf("%-${daddr_len}s ", "to" ) if (s/^d(m*)/$1/); print("method") if (/^m/); print("\n"); print( '=' x $linelength, "\n"); }