www.pudn.com > ids_snort.zip > snort-sort.pl
#!/usr/bin/perl
#
# Filename: snort-sort
# Author: Andrew R. Baker
# Modified: 2000.03.06
# Purpose: this script produces a sorted list of snort alerts
# from a snort alert file
# Version: 0.02
#
# let me know if you like this and use it -Andrew
#
# Todo: 1) Allow processing of snort alerts from syslog
# 2) Make html output optional
#
# Change History:
#
# 2000.03.07 reverse DNS lookup
# derived from snort_stat.pl
# and code donated by Adam Olson
# whois link option
# derived from code donated by Adam Olson
#
# 2000.03.06 Original script
#
#
# Options:
# -r do reverse DNS lookups (this can slow things down)
# -h produce html output (hardwired)
# -w include links to do whois queries on IP addresses
# (implies -h)
use Getopt::Std;
use Socket;
if($ARGV[0] eq undef)
{
print STDERR "USAGE: snort-sort \n";
exit;
}
getopts('rhw');
$opt_h = 1;
if($opt_w) {
$opt_h = 1;
}
# set the whois query href
$whois_href = "http://www.arin.net/cgi-bin/whois.pl?queryinput=";
open(INFILE,"< $ARGV[0]") || die "Unable to open file $ARGV[0]\n";
if($opt_h) {
print "\n";
print "\n";
print "Sorted Snort Alerts\n";
print "\n";
print "\n";
print "Sorted Snort Alerts
\n";
} else {
#plain old text output goes here
}
while() {
chomp();
# if the line is blank, go to the next one
if ( $_ eq "" ) { next }
# is this line an alert message
unless ( $_ =~ /^\[\*\*\]/ ) {
print STDERR "Warning, file may be corrupt.\n";
next
}
$a = ;
chomp($a);
unless ( $a eq "" ) {
# strip off the [**] from either end.
s/(\s)*\[\*\*\](\s)*//g;
push @{ $alerts{$_} }, $a;
} else {
print STDERR "Warning, file may be incomplete\n";
}
}
close(LOG);
if($opt_h) {
# print out the relative html links to each entry
foreach $key (keys (%alerts)) {
$anchor = $key;
$anchor =~ s/ /_/g;
print "$key
\n";
}
}
foreach $key (keys (%alerts)) {
$anchor = $key;
$anchor =~ s/ /_/g;
if($opt_h) {
print "
\n";
print "\n";
print "\n";
} else {
#plain text output goes here
}
@list = @{$alerts{$key}};
$size = @list;
for ( $i = 0 ; $i < $size ; $i++ ) {
$a = $list[$i];
($datentime,$src,$arrow,$dest) = split(' ',"$list[$i]");
($saddr,$sport) = split(/:/,"$src");
($daddr,$dport) = split(/:/,"$dest");
# reverse DNS lookups
if($opt_r) {
$shost = resolve($saddr);
$dhost = resolve($daddr);
} else {
$shost = $saddr;
$dhost = $daddr;
}
if($opt_w) {
# if saddr did not resolve (or we did not try to resolve it)
if(($shost eq $saddr)) {
$shost = "$saddr";
}
# same thing for daddr
if(($dhost eq $daddr)) {
$dhost = "$daddr";
}
}
if($opt_h) {
print "- $datentime $shost:$sport $arrow $dhost:$dport
\n";
} else {
#plain text output goes here
}
}
if($opt_h) {
print "
\n";
} else {
#plain text output goes here
}
}
if($opt_h) {
print "\n";
} else {
#plain text output goes here
}
#
# the following code was taken from snort_stat.pl
#
# resolve host name and cache it
# contributed by: Angelos Karageorgiou,
# edited by: $Author: roesch $
#
sub resolve {
local $mname, $miaddr, $mhost = shift;
$miaddr = inet_aton($mhost);
# print "$mhost\n";
if (!$HOSTS{$mhost}) {
$mname = gethostbyaddr($miaddr, AF_INET);
if ($mname =~ /^$/) {
$mname = $mhost;
}
$HOSTS{$mhost} = $mname;
}
return $HOSTS{$mhost};
}