www.pudn.com > ids_snort.zip > snort2html.pl
#!/usr/bin/perl -w
#
# Snort2HTML 1.1 by Dan Swan, March 13, 00.
# Special thanks to Martin Roesch for writing a friendly, kickass NIDS,
# and to Max Vision for the use of his attack signatures database.
#
# Distribute and modify freely, but give credit where credit is due!
#
# If you appreciate this product, and would like to give something back, send
# me the url to your snort logs. The information will be seen by nobody
# but myself, and will not be used for malicious purposes.
#
# INSTALLATION: Place this file in /usr/local/bin. To update webpage regularly,
# paste the following quoted text into /etc/cron.hourly/snortupdate:
# "/usr/local/bin/snort2html", and make sure both files are executable.
#
# Also, snort MUST be run with -s option for this program to work.
#
# WARNING: You should consider placing this file into a password protected directory
# on your web server, or simply not putting a link on your default page.
# After all, do you really want strangers to be able to tell what shows up
# (and what doesn't show up) in your logs?
# TODO: -Display service on Target port
# -More color coding of source port (suggestions welcome!)
# -A cgi wrapper to update page when accessed.
# -Dynamic sorting by clicking on column header.
# -Command line flags to control formatting
# NOTE: I am interested in any suggestions on improving the code, features
# you'd like to see, or tips on making the output more lynx-freindly.
# Please send them to swan_daniel@hotmail.com
#
# CHANGES:
#
# 1.1
# - Changed | to | , fixed perms on outputfile, other minor cosmetic
# changes as suggested by Ralf Hildebrandt.
# - Fixed problem parsing ICMP alerts, optimized code for speed (~10% gain)
# using patch provided by Nico Erfuth.
#
use Socket;
use POSIX qw(strftime);
use Sys::Hostname;
$logfile="/var/log/secure"; # Change this variable to specify different logfile
$hostname=hostname();
$outputfile="/home/httpd/html/snort2html.html"; # HTML file the log will be outputted to
$MASQHOST=0;
$time = strftime "%b %d at %H:%M", localtime;
##############################
# Main #
##############################
&generatehtmlheader; # Call funtion to generate HTML header
open(LOG,"$logfile") || die "Unable to open $logfile";
my @log = ; # Read whole file into big array
close LOG;
chomp @log;
foreach (@log) {
if ( ! /.*snort*/ ) # If it ain't got the word snort in it...
{
next ; # ...get me another line.
}
/(.*\s[1-9]*)(\d+\s)(..:..:..\s)(.*:\s)(.*:\s)(.*\d\s)(.*\s)(.*)/; # Pattern matching against each line read from logfile
# Variables extracted from pattern matching above.
$month=$1;
$day=$2;
$timeofday=$3;
$hour=$3;
$attack=$5;
$sourceip=$6;
$sourceport=$6;
$targetip=$8;
$targetport=$8;
# Get rid of unwanted characters
$attack=~s/://;
$sourceip=~ s/:.*//;
$hour=~ s/:.*//;
if (!($sourceport =~ s/.*://)) {$sourceport = "-N/A-"};
$sourcehost=gethostbyaddr(inet_aton($sourceip), AF_INET);
$targetip=~ s/:.*//;
if (!($targetport =~ s/.*://)) {$targetport = "-N/A-"};
$targethost=gethostbyaddr(inet_aton($targetip), AF_INET);
$searchattack=$attack;
$searchattack=~ s/\s/+/g;
chop $searchattack;
&timecolor;
&generatehtmlbody # Generate body of HTML from data read from snortlog
}
&generatehtmlfooter; # Generate footer of HTML
chmod (0644, $outputfile); # Ensure that output file is world readable
#############################################################
####################Subroutines##############################
#############################################################
sub generatehtmlheader { #Deletes old HTML file, creates new ones, and writes headings.
unlink $outputfile;
open (HTML, ">$outputfile");
print HTML "\n";
print HTML "\n";
print HTML "Hot dog! Jumping frog! Its an html2snort log! \n";
print HTML "\n";
print HTML "\n";
print HTML "Snort log for $hostname\n";
print HTML "\n";
print HTML "\n";
print HTML "| Date | \n";
print HTML "Time | \n";
print HTML "Attack | \n";
print HTML "Source Host | \n";
print HTML "Source Port | \n";
print HTML "Target Host | \n";
print HTML "Target Port | \n";
print HTML " \n";
}
sub timecolor { # Color code time of day according to daytime, evening, and nighttime.
my $result = int($hour/6);
if ($result == 0) {$hourcolor = "#000000"; }
elsif ($result < 3) {$hourcolor = "#EEEE00"; }
else {$hourcolor = "#FFCC00"; };
}
sub generatehtmlbody { # Writes fields to html file.
print HTML "\n";
print HTML "| $month $day | \n";
print HTML "$timeofday | \n";
print HTML " \;$attack | \n";
print HTML " \;", $sourcehost || $sourceip, " | \n";
if (($sourceport ne "-N/A-") && ($sourceport>61000) && ($sourceport<65096)) {
$sourceportcolor="#006600";
$MASQHOST=1;
}
else {$sourceportcolor="#000000";}
print HTML " \;$sourceport | \n";
print HTML " \;", $targethost || $targetip, " | \n";
print HTML " \;$targetport | \n";
print HTML " \n";
}
sub generatehtmlfooter { # Writes end of HTML tags, and closes filehandle.
print HTML " \n";
if ( $MASQHOST ne "0" ) # Need to include masqsourceport explanation at end??
{
print HTML "| DS |
=Possible masquerading host. |
\n";
}
print HTML "
\n";
print HTML "This page generated from snort
logs on $time using snort2html by Dan Swan.
\n";
print HTML "\n";
print HTML "\n";
close (HTML);
}
|