contribs/snortlog-fab.pl


#!/usr/bin/perl
# Syslog analysis script orignially written by
# Angelos Karageorgiou  and
# tweaked by Martin Roesch 
# few lines by Fabrizio Zeno Cornelli 

use Socket;

%address=();
sub mgethost {
	my($name,$iaddr);
	my($host)=shift(@_);
	if($address{$host}==undef){
		$iaddr = inet_aton($host); # or whatever address
		$name  = gethostbyaddr($iaddr, AF_INET);            
#		$address{$host}=$name;
	}else{
			$name=$address{$host};
	}
#print "Debug $host:$name\n";
return $name;
}



if($ARGV[1] eq undef)
{
   print "USAGE: snortlog [-p n]  \n";
   print "EXAMPLE: snortlog /var/log/messages sentinel\n";
   print "-p n : show only messages with priority > n \n";
   print "Note: The machine name is just the hostname, not the FQDN!\n";
   exit;
}

$minprio=1;
$targetlen=25;
$sourcelen=35;
$protolen=12;

if($ARGV[0] eq "-p"){
	shift(@ARGV);
	$minprio=shift(@ARGV);
}

$logfile= shift(@ARGV);
$machine = shift(@ARGV);

open(LOG,"< $logfile") || die "No can do";

printf("%2s %-15s %-32s %-35s %-35s\n","P","DATE","WARNING", "FROM", "TO");
print "=" x 100;
print "\n";
while() {
        chomp();

        if ( 
                ( !  /.*snort\[\d+\]*/gi ||
                /.*initialization completed*/gi  ||
		/.*received signal 15*/gi )
		
           ) { next ; }

        if ( 
	# comment the lines you don't want to skip.
                ( /.*INFO - Possible Squid Scan*/gi ) || 
                ( /.*WINDOW VIOLATION detection*/gi ) || 
                ( /.*NETBIOS NT NULL session*/gi ) || 
                ( /.*Possible RETRANSMISSION detection*/gi ) || 
                ( /.*SCAN Proxy attempt*/gi ) || 
                ( /.*ICMP Destination Unreachable*/gi ) || 
                #( /.**/gi ) || 
                ( /.*ICMP redirect host*/gi ) 
           ) { next ; }

        $_ =~ s/ $machine snort\[\d+\]:\s*/:/gi ;
        $_ =~ s/\s*\[\d+:\d+:\d+\]\s*//gi ;
        $_ =~ s/IDS\d+\///gi ;

	if( /Priority: (\d+)/ ){
	$priority=$1
	} else {
	$priority=0;
	}

	if($priority < $minprio){ next; };

        $_ =~ s/\[.*\]//gi;

        $_ =~ s/spp_stream4:\s*//gi ;
        $_ =~ s/spp_portscan:\s*//gi ;

        $date=substr($_,0,15);
        $rest=substr($_,16,500);
	#$rest=~s/\[.+\]//gi;


        @fields=split(": ", $rest);
        $text=$fields[0];

        $fields[1] =~ s/ \-\> /-/gi;
        ($source,$dest)=split('-', $fields[1]);

        ($host,$port)=split(':',$source);

        #$iaddr = inet_aton($host); # or whatever address
        #$name  = gethostbyaddr($iaddr, AF_INET);            
        $name  = mgethost($host);            
        if ( $name =~ /^$/ ) {
                $name=$host;
        }
	if($port){
        $sname = $sname . ":" .  $sport;
	}else{
        $sname = $sname ;
	}

        $skipit=0;

        ($shost,$sport)=split(':',$dest);
        $sport =~ s/ //gi;
        #$siaddr = inet_aton($shost); # or whatever address
        #$sname  = gethostbyaddr($siaddr, AF_INET) ;            
        $sname  = mgethost($shost);            
        if ( $sname =~ /^$/ ) {
                $sname=$shost;
        }

	if($port){
        $sname = $sname . ":" .  $sport;
	}else{
        $sname = $sname ;
	}
	
        printf("%2s %-15s %-32s %-30s\t%s\n",$priority,
                $date, $text,
                $name,$sname);

}
close(LOG);