snort2html.pl

该软件是一个有名的基于网络的入侵检测系统

#!/usr/bin/perl -w

#  Snort2HTML 1.0 by Dan Swan, January 28, 00.
#  Special thanks to Martin Roesch for writing a friendly, kickass NIDS, 
#  and to Max Vision for the use of his attack signatures database.

#  Distribute and modify freely, but give credit where credit is due!

#  INSTALLATION:  Place this file in /usr/local/bin.  To update webpage regularly, 
#                 paste the following quoted text into /etc/cron.hourly/snortupdate:  
#                 "/usr/local/bin/snort2html", and make sure both  files are executable.

#  WARNING:  You should consider placing this file into a password protected directory 
#            on your web server, or simply not putting a link on your default page.    
#            After all, do you really want strangers to be able to tell what shows up 
#            (and what doesn't show up) in your logs?

#  TODO:  -Display service on Target port 
#         -More color coding of source port (suggestions welcome!)
#         -A cgi wrapper to update page when accessed.
#         -Dynamic sorting by clicking on column header.
#         -Command line flags to control formatting

#  Note:  I am interested in any suggestions on improving the code, features 
#         you'd like to see, or tips on making the output more lynx-freindly.    
#         Please send them to swan_daniel@hotmail.com

use Socket;
use POSIX qw(strftime);
use Sys::Hostname;

$logfile="/var/log/secure";   # Change this variable to specify different logfile
$hostname=hostname();
$outputfile="/home/httpd/html/snort2html.html";  # HTML file the log will be outputted to
$MASQHOST=0;    
$time = strftime "%b %d at %H:%M", localtime;

##############################
#          Main              #
##############################

&generatehtmlheader;          # Call funtion to generate HTML header

open(LOG,"$logfile") || die "Unable to open $logfile";

while(<LOG>) {
              chomp();
              if ( !  /.*snort*/ )     # If it ain't got the word snort in it...
                                  {                        
                                  next ;                   # ...get me another line.
                                  }

/(.*\s[1-9]*)(\d+\s)(..:..:..\s)(.*:\s)(.*:\s)(.*\d\s)(.*\s)(.*)/;  # Pattern matching against each line read from logfile

# Variables extracted from pattern matching above.
$month=$1;   
$day=$2;
$timeofday=$3;
$hour=$3;
$attack=$5;
$sourceip=$6;
$sourceport=$6;
$targetip=$8;
$targetport=$8;

# Get rid of unwanted characters
$attack=~s/://;
$sourceip=~ s/:.*//;
$hour=~ s/:.*//;
$sourceport=~ s/.*://;
$sourcehost=gethostbyaddr(inet_aton($sourceip), AF_INET);
$targetip=~ s/:.*//;
$targetport=~ s/.*://;
$targethost=gethostbyaddr(inet_aton($targetip), AF_INET);
$searchattack=$attack;
$searchattack=~ s/\s/+/g;
chop $searchattack;

&timecolor;
&generatehtmlbody    # Generate body of HTML from data read from snortlog
             }

close(LOG);
&generatehtmlfooter;   # Generate footer of HTML

#############################################################
####################Subroutines##############################
#############################################################

sub generatehtmlheader {   #Deletes old HTML file, creates new ones, and writes headings.
                        unlink $outputfile;
                        open (HTML, ">$outputfile");
                        print HTML "<HTML>\n";
                        print HTML "<HEAD>\n";
                        print HTML "<TITLE>Hot dog!  Jumping frog!  Its an html2snort log! </TITLE>\n";
                        print HTML "</HEAD>\n";
                        print HTML "<BODY BGCOLOR=\"#AAAAAA\">\n";
                        print HTML "<TABLE width=1024 border=0>\n";
                        print HTML "<TR><TD><H1 align=center>Snort log for $hostname</H1></TD></TR>\n";
                        print HTML "</TABLE>\n";
                        print HTML "<TABLE cellpadding=1 border width=1024>\n";
                        print HTML "<TR>\n";
                        print HTML "<TD><B>Date</B></TD>\n";
                        print HTML "<TD><B>Time</B></TD>\n";
                        print HTML "<TD><B>Attack</B></TD>\n";
                        print HTML "<TD><B>Source Host</B></TD>\n";
                        print HTML "<TD><B>Source Port</TD>\n";
                        print HTML "<TD><B>Target Host</B></TD>\n";
                        print HTML "<TD><B>Target Port</B></TD>\n";
                        print HTML "</TR>\n";
                        }

sub timecolor {  # This could probabably be done with some fancy algorithm.  
#                  Suggestions welcome.
               if    ($hour == "00")  { $hourcolor = "#000000"; }
                elsif ($hour == "01")  { $hourcolor = "#000000"; }                                 
                elsif ($hour == "02")  { $hourcolor = "#000000"; }
                elsif ($hour == "03")  { $hourcolor = "#000000"; }                                 
                elsif ($hour == "04")  { $hourcolor = "#000000"; }
                elsif ($hour == "05")  { $hourcolor = "#000000"; }                                 
                elsif ($hour == "06")  { $hourcolor = "#EEEE00"; }
                elsif ($hour == "07")  { $hourcolor = "#EEEE00"; }                                 
                elsif ($hour == "08")  { $hourcolor = "#EEEE00"; }     
                elsif ($hour == "09")  { $hourcolor = "#EEEE00"; }
                elsif ($hour == "10")  { $hourcolor = "#EEEE00"; }
                elsif ($hour == "11")  { $hourcolor = "#EEEE00"; }                                 
                elsif ($hour == "12")  { $hourcolor = "#EEEE00"; }                                 
                elsif ($hour == "13")  { $hourcolor = "#EEEE00"; }                                 
                elsif ($hour == "14")  { $hourcolor = "#EEEE00"; }
                elsif ($hour == "15")  { $hourcolor = "#EEEE00"; }                                 
                elsif ($hour == "16")  { $hourcolor = "#EEEE00"; }                                 
                elsif ($hour == "17")  { $hourcolor = "#EEEE00"; }                                 
                elsif ($hour == "18")  { $hourcolor = "#FFCC00"; }
                elsif ($hour == "19")  { $hourcolor = "#FFCC00"; }
                elsif ($hour == "20")  { $hourcolor = "#FFCC00"; }                                 
                elsif ($hour == "21")  { $hourcolor = "#FFCC00"; }
                elsif ($hour == "22")  { $hourcolor = "#FFCC00"; }
                elsif ($hour == "23")  { $hourcolor = "#FFCC00"; }                                 
                }

sub generatehtmlbody {      #   Writes fields to html file.
                      print HTML "<TR>\n";
                      print HTML "<TD><B>$month $day</B></TD>\n";
                      print HTML "<TD><B><FONT COLOR=\"$hourcolor\">$timeofday</font></B></TD>\n";
                      print HTML "<TD>&nbsp\;<A href=\"http://dev.whitehats.com/cgi/test/new.pl/Search?search=$searchattack\">$attack</A></TD>\n";
                      print HTML "<TD>&nbsp\;<A HREF=\"http://www.arin.net/cgi-bin/whois.pl?queryinput=$sourceip&B1=Submit\">", $sourcehost || $sourceip, "</A></TD>\n";
                      if (($sourceport>61000) && ($sourceport<65096)) {
                                                                       $sourceportcolor="#00BB00";
                                                                       $MASQHOST=1; 
                                                                       }
                       else {$sourceportcolor="#000000";}
                      print HTML "<TD>&nbsp\;<font color=\"$sourceportcolor\">$sourceport</font></TD>\n";
                      print HTML "<TD>&nbsp\;", $targethost || $targetip, "</TD>\n";
                      print HTML "<TD>&nbsp\;$targetport</TD>\n";
                      print HTML "</TR>\n";
                      }

sub generatehtmlfooter {  # Writes end of HTML tags, and closes filehandle.
                        print HTML "</TABLE>\n";
                        if ( $MASQHOST ne "0" ) # Need to include linuxsourport exp at end??
                                               {
                                                print HTML "<TABLE noborder><TR><TD WIDTH=4 ALIGN=left VALIGN=top BGCOLOR=\"#00BB00\"><font color= \"#00BB00\">DS</font></TD>
                                                <TD align=left>=Possible linux masquerading host.</TD></table>\n";
                                                }
                        print HTML "<BR><HR>\n";
                        print HTML "This page generated from <A HREF=\"http://www.clark.net/~roesch/security.html\">snort</A>
                        logs on $time using snort2html by <A HREF=\"mailto:swan_daniel\@hotmail.com\">Dan Swan</A>.<BR>\n";
                        print HTML "</BODY>\n";
                        print HTML "</HTML>\n";
                        close (HTML);
                        }