#!/usr/local/bin/perl -w # # A simple tool to generate a report out of the last snort.alert file. # Which could be emailed for later review. # This is to be sure you don't miss the last messages when they arrive # when you are gone home. # # It also includes logging from Samhain: # http://la-samhna.de/samhain/ # and pcds: # http://doornenburg.homelinux.net/scripts/pcds/ # when the logging of these 2 are also included in the same file, as described at # the Mysecrep homepage: # http://doornenburg.homelinux.net/scripts/mysecrep/ # # Simply change the input- and reportfile and run it from cron # during night. # Be aware that you must have read-access to the file! # # This software is released under the GPL. The full licence # can be found at: # http://www.gnu.org/licenses/licenses.html#GPL # # $Id: mysecrep,v 0.8 2003/12/26 12:14:29 bart Exp $ # $Revision: 0.8 $ # # Bart Somers # use strict; umask 077; my $infile = "/home/bart/bin/snort.alert.2"; my $outfile = "/home/bart/bin/security.report"; # Warning! If you need to use an @ sign, escape it: # adress\@domain.com # Also, multiple adresses can be used. Seperate them by a space. my $adminmail = "admin" ; # You can switch to not sending mail by setting mail to 0. my $mail = 0; # You can reverse the order of logging. Put to 1 for reverse, 0 # for normal behavior. my $reverse = 0; # You can create a "short" or "long" report. A short report does # not contain the Classification information from the snort log. # A long one does. my $type = "short"; # Include or exculde the portscan-messages. They will be put to priority 3 # if incuded. Default is 1 (on), put to 0 for "off". my $portscan = 1; # No tunable options below this line. ############################################################### my @prio1; my @prio2; my @prio3; open ( INPUT, " $infile") || die("Can't open $infile : $!"); while ( my $line = ) { chomp $line; # Squeeze the multiple spaces $line =~ tr/ //s; #print $line; if ($line =~ /Priority: 1]:/ ) { # change space in comma, to keep it in 1 scalar $line =~ tr/ /,/; push @prio1, $line ; } elsif ($line =~ /Priority: 2]:/ ) { # change space in comma, to keep it in 1 scalar $line =~ tr/ /,/; push @prio2, $line ; } elsif ($line =~ /Priority: 3]/ ) { # change space in comma, to keep it in 1 scalar $line =~ tr/ /,/; push @prio3, $line; } elsif ($line =~ /pcds/ && $line =~ /seen/ ) { $line =~ tr/ /,/; push @prio2, $line; } elsif ($line =~ /pcds/ && $line =~ /instead/ ) { # Hmm, whe have a comma to much. Delete it first. $line =~ tr/,//d; $line =~ tr/ /,/; push @prio3, $line; } elsif ($line =~ /Samhain/ && $line =~ /ALERT/ ) { # Remove the comma's $line =~ tr/,//d; $line =~ tr/ /,/; push @prio1, $line; } elsif ($line =~ /Samhain/ && $line =~ /CRIT/ ) { # Remove the comma's $line =~ tr/,//d; $line =~ tr/ /,/; push @prio2, $line; } elsif ($line =~ /Samhain/ && $line =~ /ERR/ ) { # Remove the comma's $line =~ tr/,//d; $line =~ tr/ /,/; push @prio3, $line; } elsif ($line =~ /snort/ && $line =~ /spp_portscan/ && $portscan eq 1 ) { $line =~ tr/ /,/; push @prio3, $line; } } close INPUT; my $count1 = scalar @prio1; my $count2 = scalar @prio2; my $count3 = scalar @prio3; my $counttotal = $count1 + $count2 + $count3; if ( $reverse eq 1) { @prio1 = reverse @prio1; @prio2 = reverse @prio2; @prio3 = reverse @prio3; } open ( OUTPUT, "> $outfile"); print ( OUTPUT "These are the results found in $infile\n\n"); print ( OUTPUT "The total number of messages found is : $counttotal \n\n"); print ( OUTPUT "Number of messages with Priority 1: $count1 \n"); print ( OUTPUT "Number of messages with Priority 2: $count2 \n"); print ( OUTPUT "Number of messages with Priority 3: $count3 \n"); print ( OUTPUT "The logging-type is set to: $type \n"); print ( OUTPUT "\n"); print ( OUTPUT "Found to be Priority 1: \n\n"); foreach $b (@prio1) { if ($b =~ /snort/ && $b =~ /Priority/ ) { snortrep(); } elsif ($b =~ /pcds/) { pcdsrep(); } elsif ($b =~ /Samhain/ && $b =~ /msg=/ ) { samhainrep(); } } print ( OUTPUT "\n"); print ( OUTPUT "Found to be Priority 2: \n\n"); foreach $b (@prio2) { if ($b =~ /snort/ && $b =~ /Priority/ ) { snortrep(); } elsif ($b =~ /pcds/) { pcdsrep(); } elsif ($b =~ /Samhain/ && $b =~ /msg=/ ) { samhainrep(); } } print ( OUTPUT "\n"); print ( OUTPUT "Found to be Priority 3: \n\n"); foreach $b (@prio3) { if ($b =~ /snort/ && $b =~ /Priority/ ) { snortrep(); } elsif ($b =~ /pcds/) { pcdsrep(); } elsif ($b =~ /Samhain/ && $b =~ /msg=/ ) { samhainrep(); } elsif ($b =~ /snort/ && $b =~/spp_portscan2/ ) { scanrep(); } } close OUTPUT; sub snortrep { # snort-id = 5 # source-ip = -3 # Dest-ip = -1 # Proto = -4 my @int = split ",", $b; my $start = 6; print ( OUTPUT $int[0], " ", $int[1], " ", $int[2], " "); if ( $type eq "short" ) { until ( $int[$start] =~ /Classification/ ) { print ( OUTPUT $int[$start], " "); $start ++; } } elsif ( $type eq "long" ) { until ( $int[$start] =~ /\[Prio/ ) { $int[$start] =~ tr/[\[,\]]//d; print ( OUTPUT $int[$start], " "); $start ++; } } # Remove the { } signs from the protocol. $int[-4] =~ tr/[{,}]//d; # Modify the form in which the snort-id is written. my $newsid = substr $int[5],3,-3 ; #print ( OUTPUT $int[$proto], " ", $int[$sip], " => ", $int[$dip], " sid: ", $newsid, "\n" ); print ( OUTPUT $int[-4], " ", $int[-3], " => ", $int[-1], " sid: ", $newsid, "\n" ); } sub pcdsrep { my @int = split ",", $b; my $counter = scalar @int; my $start = 5; print ( OUTPUT $int[0], " ", $int[1], " ", $int[2], " ", "Host ", $int[3], " reports: "); while ( $start < $counter ) { print ( OUTPUT $int[$start], " " ); $start ++; } print ( OUTPUT "\n" ); } sub samhainrep { my @int = split ",", $b; my $host = 3; my $msg = 8; my $pol = 9; my $path = 10; my $policy; my $fullpath; print ( OUTPUT $int[0], " ", $int[1], " ", $int[2], " "); if ( $int[$msg] =~ /START/ ) { print ( OUTPUT "Samhain started \n"); } elsif ( $int[$msg] =~ /EXIT/ ) { print ( OUTPUT "Samhain stopped \n"); } elsif ( $int[$msg] =~ /POLICY/ ) { $policy = substr $int[$pol],1,-2 ; $fullpath = substr $int[$path],6,-1 ; print ( OUTPUT "Host ", $int[$host], " reports policy ", $policy, " violated on ", $fullpath, "\n"); } } sub scanrep { my @int = split ",", $b; my $proto = 18; my $count; $int[$proto] =~ tr/[{,}]//d; my @order = qw( 0 1 2 18 7 8 9 10 11 12 13 14 15 16 17 ); foreach $count (@order) { print (OUTPUT $int[$count], " "); } print (OUTPUT "\n"); } if ( -s $outfile && $mail eq 1 ) { system ("cat $outfile | mail -s \"My Snort Report from $infile \" $adminmail"); } exit (0);