#!/usr/bin/perl -w
#
# modified for the Debian package by Christian Hammers <ch@westend.com>
# and "Mario 'BitKoenig' Holbe" <Mario.Holbe@RZ.TU-Ilmenau.DE>
#
# $Id: snort_stat.pl,v 1.2 1999/11/23 05:33:48 yenming Exp $
# $Revision: 1.2 $
#
# snort_stat.pl is a perl script trying to generate statistical data from every
# day snort log file.
#
# Usage: cat <snort_log> | snort_stat.pl
#
# $Author: yenming $
# Yen-Ming Chen, <chenym+@CMU.EDU>
# $Date: 1999/11/23 05:33:48 $
#

#
#####################  set variables  ###############################
#

$treshold = $ENV{'DEBIAN_SNORT_STATS_TRESHOLD'};
$treshold = 1 unless defined $treshold;
$treshold = 1 unless $treshold =~ /^\d+$/;

$to = $ENV{'DEBIAN_SNORT_STATS_RCPT'};
$to = "root" unless defined $to;
$to = "root" unless $to =~ /\S/;
$to =~ s/\s+/, /;

$sendmail = "cat -";
$sendmail = "/usr/sbin/sendmail" if -x "/usr/sbin/sendmail";

$hostname = `hostname`; chomp($hostname);

$today = `/bin/date --date yesterday +"%h %-d"`; chomp($today);

#
###################  process whatever comes in  ###################
#

$lastWasSnort = 0;
while (<>) {
  # if the last line was a snort line, check if it's repeated...
  # For snort log, added by $Author: yenming $
  if ($lastWasSnort) {
    if (/^(\w{3})\s+(\d+)\s(\d+)\:(\d+)\:(\d+)\s(\w+)\s
        last\smessage\srepeated\s(\d+)\stimes/ox) {
      $month  = $1; $day   = $2;  $hour  = $3; $minute = $4;
      $second = $5; $host  = $6;  $rep   = $7;

      # put old data n times into a big matrix
      for ($i = 0; $i < $rep; ++$i) {
        push @result , [$1,$2,$3,$4,$5,$6,$sig,$saddr,$sport,$daddr,$dport];
      }
      # Don't reset $lastWasSnort here - the 'repeated' line could happen
      # more than one time.
      # A small speed up :-)
      next;
    } else {
      $lastWasSnort = 0;
    }
  }

  # For snort log, added by $Author: yenming $
  # If this is a snort log
  if (/^(\w{3})\s+(\d+)\s(\d+)\:(\d+)\:(\d+)\s([\w-]+)\ssnort:\s
      ([^:|.]+):\s([\d\.]+)[\:]*([\d]*)\s[\-\>]+\s([\d\.]+)[\:]*([\d]*)/ox)
    {
      $month  = $1; $day   = $2;  $hour  = $3; $minute = $4;
      $second = $5; $host  = $6;  $sig   = $7; $saddr  = $8;
      $sport  = $9; $daddr = $10; $dport = $11;
 
      # auth.log gets rotated monthly
      next if "$month $day" ne "$today";
	
      # put those data into a big matrix
      push @result , [$1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11];
      $lastWasSnort = 1;
  }
}
exit 0 if $#result==-1;

#
####################  compute statistics  #########################
#

foreach $i (@result) {
  # for the same pair of attacker and victim with same sig
  # to see the attack pattern
  # used in same_attack()
  $s0{"$i->[7],$i->[9],$i->[6]"}++;
}

#
###################  print mail  ##################################
#

open(MAIL,"| $sendmail $to") || die $!;
printf MAIL "To: %s\n".
	    "Subject: %s: snort daily report\n\n".
	    "The log begins from: %3s %02d %02d:%02d:%02d\n".
	    "The log ends at:     %3s %02d %02d:%02d:%02d\n",
	$to, $hostname,
	$result[0]->[0], $result[0]->[1], $result[0]->[2], $result[0]->[3], $result[0]->[4],
    	$result[$#result]->[0], $result[$#result]->[1], $result[$#result]->[2], $result[$#result]->[3], $result[$#result]->[4];

# to see the frequency of the attack from a certain pair of
# host and destination
format SAME_ATTACK_TOP =


The number of attack from same host to same destination using same method
=========================================================================
   attacks                    to               from
=========================================================================
.
format SAME_ATTACK =
@>>> @<<<<<<<<<<<<<<<<<<<<<<  @<<<<<<<<<<<<<<  @<<<<<<<<<<<<<<<<<<<<<<<<<
$s0{$k}, $_[2],            $_[1],           $hostname
.

select(MAIL);
$^	= SAME_ATTACK_TOP;
$~	= SAME_ATTACK;

foreach $k (sort { $s0{$b} <=> $s0{$a} } keys %s0) {
    @_ = split ",",$k;
    $hostname=`host $_[0] 2>/dev/null`;
    $hostname=$_[0] if (not defined $hostname) || ($hostname eq "");
    $hostname=~ s/Name: //g; chomp($hostname);
    write if $s0{$k} > $treshold;
}
close(MAIL) || die $!;
