#!/usr/bin/perl # # Snort DShield Client # # Command Line paramters: # # 1. logfile name (you need to use the long format, which produces 4-5 lines per even, # not the more limited short format) # # IF YOU ARE LOGGING TO THE SYSLOG, USE THE 'snort_syslog.pl client'. # IF YOU ARE USING THE PORTSCAN LOG, USE THE 'snort_portscan.pl client'. # # # 2. DELETE/ROTATE/NOTHING # what to do with the log once we are done. # (rotate will save it under a new name, # which is the old name with a date stamp appended # # v 0.0.1 dshield@dshield.cirt.vt.edu 3/29/2001 # initial parser # v 0.1.0 dshield@dshield.cirt.vt.edu 4/10/2001 # working parser, now with flags. # v 1.0.0 dshield@dshield.cirt.vt.edu 4/11/2001 # added mail wrapper # v 1.0.1 dshield@dshield.cirt.vt.edu 4/30/2001 # finally.. documentation and function matches. # v 1.0.2 dshield@dshield.cirt.vt.edu 5/2/2001 # added 'chomp' to tz. (thanks Bob Van Cleef). # v 1.1.0 dshield@dshield.cirt.vt.edu 6/7/2001 # added support for different snort formats. # Parameters: $email="...address to send logs to..."; # (e.g. dshield@dshield.cirt.vt.edu) $from="...your e-mail address..."; $ccopy="...second address to send logs to..."; # (e.g. yourself for verification) $author="0"; # (your dshield userid) $sendmail="/usr/lib/sendmail -t -oi "; # # $logfile=shift; $finish=shift||"ROTATE"; $year=`date +%Y`; chomp ($year); $tz=`date +%z | sed 's/00\$/:00/'`; chomp ($tz); open (MAIL,"| $sendmail"); print MAIL "To: $email\n"; print MAIL "Cc: $ccopy\n"; print MAIL "From: $from\n"; print MAIL "Subject: FORMAT DSHIELD USERID $author TZ $tz\n\n"; open (LOG,"$logfile"); foreach () { if ($NEXT eq 'FLAGS') { ($flags,undef)=split(' ',$_); $flags =~ s/\*//g; $flags =~ s/\d//g; $NEXT="PRINT"; } if ($NEXT eq 'PROTO') { # # Let's get the next line for the protocol # ($proto,undef)=split(" ",$_); $NEXT="FLAGS"; $NEXT="PRINT" unless $proto eq "TCP"; } if ( $NEXT eq 'IPS' ) { ($source,undef,$target,$proto,undef)=split(" "); if ( $source=~/:/ ) { ($source,$sourceport)=split(":",$source); } else { $sourceport="0"; } if ( $target=~/:/ ) { ($target,$targetport)=split(":",$target); } else { $targetport=0; } $NEXT="FLAGS"; } if ( /^\d\d\/\d\d-\d*:\d*:\d*\.\d* \d*\.\d*\.\d*\.\d*[0-9.: ]*->[0-9.: ]*/ ) { ($date,$source,undef,$target)=split(" "); ($date,$time)=split("-",$date); $time=~/^(\d\d:\d\d:\d\d).\d*/; $time=$1; if ( $source=~/:/ ) { ($source,$sourceport)=split(":",$source); } else { $sourceport="0"; } if ( $target=~/:/ ) { ($target,$targetport)=split(":",$target); } else { $targetport=0; } ($month,$day)=split("/",$date); $NEXT="PROTO"; } if ( (/^\d\d\/\d\d-.*:.*:.*:.*:.*:.*->.*/) && ($NEXT ne 'PROTO') ) { ($date,$undef)=split(" "); ($date,$time)=split("-",$date); $time=~/^(\d\d:\d\d:\d\d).\d*/; $time=$1; ($month,$day)=split("/",$date); $NEXT="IPS"; } # # And if it is TCP, we need another line for the flags. # if ($NEXT eq "PRINT") { print MAIL "$year-$month-$day $time $tz\t$author\t1\t$source\t$sourceport\t$target\t$targetport\t$proto\t$flags\n"; $NEXT=''; } } close MAIL; close LOG; if ( $finish =~ /ROTATE/i ) { $t=time(); system("cp $logfile $logfile.$t"); } if ( $finish =~ /DELETE/i ) { system("rm $logfile"); }