📄 snort_stat.pl
字号:
print "<tr><th># of attacks</th><th>from</th><th>to</th><th>with</th</tr>"; foreach $k (sort { $s0{$b} <=> $s0{$a} } keys %s0) { @_ = split ":",$k; print "<tr><td>$s0{$k}</td><td>$_[1]</td><td>$_[0]</td> <td>$_[2]</td></tr>\n" if $s0{$k} >1; } print "</table><hr>\n"; } else { section_header("The number of attacks from same host to samedestination using same method\n", "asdm"); foreach $k (sort { $s0{$b} <=> $s0{$a} } keys %s0) { @_ = split ":",$k; printf(" %-2d %-${saddr_len}s %-${daddr_len}s %-20s\n", $s0{$k},$_[1],$_[0],$_[2]) } }}# to see the percentage and number of attacks from a host to a destinationsub same_host_dest { if($opt_h) { print "<h3>Percentage and number of attacks from a host to a destination</h3>\n"; print "<table>\n"; print "<tr><th>%</th><th># of attacks</th><th>from</th><th>to</th></tr>\n"; foreach $k (sort { $s1{$b} <=> $s1{$a} } keys %s1) { @_ = split ":",$k; printf("<tr><td>%-2.2f</td><td>%-2d</td><td>%-20s</td><td>%-20s</td> <td>\n",$s1{$k}/$total*100,$s1{$k},$_[0],$_[1]) if $s1{$k} > 1; } print "</table><hr>\n"; } else { section_header("Percentage and number of attacks from a host to adestination\n", "pasd"); foreach $k (sort { $s1{$b} <=> $s1{$a} } keys %s1) { @_ = split ":",$k; printf("%5.2f %-2d %-${saddr_len}s %-${daddr_len}s\n", $s1{$k}/$total*100, $s1{$k},$_[0],$_[1]) } }}# to see how many attacks launched from one hostsub same_host_sig { if ($opt_h) { print "<h3>Percentage and number of attacks from one host to any with same method</h3>\n"; print "<table>\n"; print "<tr><th>%</th><th># of attacks</th><th>from</th><th>type</th></tr>\n"; foreach $k (sort { $s2{$b} <=> $s2{$a} } keys %s2) { @_ = split ":",$k; printf("<tr><td>%-2.2f</td><td>%-4d</td><td>%-20s</td><td>%-28s</td> </tr>\n",$s2{$k}/$total*100,$s2{$k},$_[1],$_[0]) if $s2{$k} > 1; } print "</table><hr>\n"; } else { section_header("Percentage and number of attacks from one host to anywith same method\n", "pasm"); foreach $k (sort { $s2{$b} <=> $s2{$a} } keys %s2) { @_ = split ":",$k; printf("%5.2f %-4d %-${saddr_len}s %-28s\n", $s2{$k}/$total*100, $s2{$k},$_[1],$_[0]) } }}# to see how many attacks received by one host (destination correlated)sub same_dest_sig_stat { if ($opt_h) { print "<h3>Percentage and number of attacks to one certain host</h3>\n"; print "<table>\n"; print "<tr><th>%</th><th># of attacks</th><th>to</th><th>type</th></tr>\n"; foreach $k (sort { $s3{$b} <=> $s3{$a} } keys %s3) { @_ = split ":",$k; printf("<tr><td>%-2.2f</td><td>%-4d</td><td>%-25s</td><td>%-28s</td><td>\n",$s3{$k}/$total*100,$s3{$k},$_[1],$_[0]) if $s3{$k} > 1; } print "</table><hr>\n"; } else { section_header("The percentage and number of attacks to one certain host \n", "padm"); foreach $k (sort { $s3{$b} <=> $s3{$a} } keys %s3) { @_ = split ":",$k; printf("%5.2f %-4d %-${daddr_len}s %-28s\n",$s3{$k}/$total*100 , $s3{$k},$_[1],$_[0]); } }}# to see the popularity of one attack methodsub attack_distribution { if($opt_h) { print "<h3>The distribution of attack methods</h3>\n"; print "<table>\n"; print "<tr><th>%</th><th># of attacks</th><th>methods</th></tr>\n"; foreach $k (sort { $s4{$b} <=> $s4{$a} } keys %s4) { @_ = split ":",$k; printf("<tr><td>%-2.2f</td><td>%-4d</td><td>%-32s</td></tr>\n", $s4{$k}/$total*100,$s4{$k},$_[0]); } print "</table><hr>\n"; } else { section_header("The distribution of attack methods\n", "pam"); foreach $k (sort { $s4{$b} <=> $s4{$a} } keys %s4) { @_ = split ":",$k; printf("%5.2f %-4d %-32s\n", $s4{$k}/$total*100,$s4{$k},$_[0]); } }}# portscan (if enable -p switch)# Please use '-A fast' to generate the log, so portscan() can process it.# contributed by: Paul Bobby, <paul.bobby@lmco.com># Jian-Da Li, <jdli@freebsd.csie.nctu.edu.tw>sub portscan { my (%s5, %s6); # to see how many times a host performs portscan # used in portscan() for $i (0 .. $#res) { $s5{"$res[$i]->[0]"}++; } for $i (0 .. $#rescnt) { $s6{"$rescnt[$i]->[0]"} += $rescnt[$i]->[1]; } if($opt_h) { print "<h3> Portscans performed to/from HOME_NET</h3>\n"; print "<table>\n"; print "<tr><th>Scan Attempts</th><th>Source Address</th><th>Number of Ports</th></tr>\n"; foreach $k (sort { $s5{$b} <=> $s5{$a} } keys %s5) { if ($s6{$k}) { print "<tr><td>$s5{$k}</td><td>$k</td><td>$s6{$k}</td></tr>\n"; } else { print "<tr><td>$s5{$k}</td><td>$k</td><td>ERR</td></tr>\n"; } } print "</table>\n"; } else { format PORTSCAN_TOP = Portscans performed to/from HOME_NET=====================================Times Source Address=====================================. $~ = PORTSCAN_TOP; write; foreach $k (sort { $s5{$b} <=> $s5{$a} } keys %s5) { printf(" %-4d %-25s\n", $s5{$k},$k); } }}# anomsensor (if enable -n switch)# This function process data generated by spp_anomsensor plug-in (SPADE)# By Yen-Ming Chen <chenym@alumni.cmu.edu>sub anomsensor { my (%s7); # to see how many times a host performs portscan # used in anomsensor() for $i (0 .. $#anores) { $s7{"$anores[$i]->[1],$anores[$i]->[3],$anores[$i]->[4]"}++; } if($opt_h) { print "<h3> Anomaly detected by SPADE</h3>\n"; print "<table>\n"; print "<tr><th>Scan Attempts</th><th>Source Address</th><th>Destination Address</th><th>Destination Ports</th></tr>\n"; foreach $k (sort { $s7{$b} <=> $s7{$a} } keys %s7) { @_ = split(/,/,$k); print "<tr><td>$s7{$k}</td><td>$_[0]</td><td>$_[1]</td><td>$_[2]</td></tr>\n"; } print "</table>\n"; } else { format ANOMSENSOR_TOP = Anomaly detected by SPADE============================================================================Attempts Source Address Destinatoin Address Destination Ports============================================================================. $~ = ANOMSENSOR_TOP; write; foreach $k (sort { $s7{$b} <=> $s7{$a} } keys %s7) { @_ = split(/,/,$k); printf(" %-4d %-25s %-25s %-6d\n", $s7{$k},$_[0],$_[1],$_[2]); } }}# print the footer (needed for html)sub print_footer { if($opt_h) { print "Generated by <a href=\"http://xanadu.incident.org/snort/\">snort_stat.pl</a>\n"; print "</body>\n</html>\n"; } }## resolve host name and cache it# contributed by: Angelos Karageorgiou, <angelos@stocktrade.gr># edited by: $Author: jpickel $#sub resolve { local ($mname, $miaddr, $mhost = shift); $miaddr = inet_aton($mhost); if (!$HOSTS{$mhost}) { $mname =""; eval { local $SIG{ALRM} = sub {die "alarm\n" }; # NB \n required alarm $timeout; $mname = gethostbyaddr($miaddr, AF_INET); alarm 0; }; die if $@ && $@ ne "alarm\n"; # propagate errors if ($mname =~ /^$/) { $mname = $mhost; } $HOSTS{$mhost} = $mname; } return $HOSTS{$mhost};}# Use a title and a short code to write the section headers# This is used in place of a FORMAT as this allows variable column widths# contributed by: Ned Patterson, <jpatter@alum.mit.edu>#sub section_header { my $linelength; $title = shift; $_ = shift; print("\n\n$title"); # constant for method length for now $linelength = (/p/?7:0) + (/a/?10:0) + (/s/?$saddr_len:0) + (/d/?$daddr_len+3:0) + (/m/?20:0); print( '=' x $linelength, "\n"); # print("Line length:\t$linelength\t\tHeaders:\t$_\n"); print(" " x 7, " # of\n") if (/pa.*/); print(" # of\n attacks ") if (s/^a([sdm]*)/$1/); print(" % ") if (s/^p([asdm]*)/$1/); print("attacks ") if (s/^a([sdm]*)/$1/); printf("%-${saddr_len}s ", "from") if (s/^s([dm]*)/$1/); printf("%-${daddr_len}s ", "to" ) if (s/^d(m*)/$1/); print("method") if (/^m/); print("\n"); print( '=' x $linelength, "\n");}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -