Snort2HTML v1.5 converts Snort Intrusion Detection System logs into nicely-formatted HTML.
c585d4e20fc71f2ee6d79241605c53963ed072a83ff76bc69cb7464c01834cb6#!/usr/bin/perl -w
#
# Snort2HTML 1.5 by Dan Swan, Oct 03, 00.
#
# Special thanks to Martin Roesch for writing snort, a great NIDS!
# And to Max Vision for the use of his attack signatures database.
# And to my girlfriend Lisa for being supportive and a hottie.
#
# Distribute and modify freely, but give credit where credit is due!
#
#
# INSTALLATION: Place this file in /usr/local/bin. To update webpage
# regularly, paste the following quoted text into a file named
# /etc/cron.hourly/snortupdate: "/usr/local/bin/snort2html",
# and make sure both files are executable.
#
# USAGE: ./snort2html <inputfile>
# ./snort2html <inputfile> <outputfile>
#
# If no parameters are specified at the command line, the inputfile
# defaults to "/var/log/secure", and the outputfile defaults to
# "/home/httpd/html/snort2html.html".
#
#
# TODO: -Display service on Target port
# -More color coding of source port (suggestions welcome!)
# -A cgi wrapper to update page when accessed.
# -Dynamic sorting by clicking on column header.
# -Command line flags to control formatting
# -Neaten up script which is getting a bit messy;
#
#
# NOTE: I am interested in any suggestions on improving the code, features
# you'd like to see, or tips on making the output more lynx-freindly.
# Please send them to swan_daniel@hotmail.com
#
#
# ASSISTANCE: If you're having trouble, make sure you've read these
# instructions, and are using the latest version, which is
# available from: www.geocities.com/swan_daniel/snort2html.txt
# If this doesn't solve your problem, re-read these
# instructions, and then mail me with a description of your
# problem, and a copy of your snort alert log. I'll do my best
# to help you resolve your problem.
#
#
# CHANGES:
#
# 1.1
# - Changed <TD><B> to <TH>, fixed perms on outputfile, other minor cosmetic
# changes as suggested by Ralf Hildebrandt.
# - Fixed problem parsing ICMP alerts, optimized code for speed (~10% gain)
# using patch provided by Nico Erfuth.
#
# 1.2
# - Modifications made by Ralf Hildebrandt to enable parsing of spp_portscan plugin output,
# thus making this snort1.6 compatible
# - Fixed a silly Regep mistake that was causing dates to be outputted with a space
# in between the digits.
#
# 1.3
# - Updated link generator to arachNIDS database to reflect new path
#
# 1.5 October, 2000
# - We're gonna skip a version here, as I actually did a version that
# I only used myself, and never bothered to release.
# - Fixed a few regexes that were breaking under some alerts.
# - Added ability to specify inputfile and outputfile on commandline.
# - Miscellaneous other tweaks.
#
use Socket;
use POSIX qw(strftime);
use Sys::Hostname;
## Define variables ##
$logfile="/var/log/secure"; # Default input file
$outputfile="/home/httpd/html/snort2html.html"; # Default output file.
$hostname=hostname();
$MASQHOST=0;
$time = strftime "%b %d at %H:%M", localtime;
## Check command line input ##
$numArgs = $#ARGV +1;
if ($numArgs == 1) {
$logfile=$ARGV[0];
}
elsif ($numArgs > 1) {
$logfile=$ARGV[0];
$outputfile=$ARGV[1];
}
##############################
# Main #
##############################
&generatehtmlheader; # Call funtion to generate HTML header
open(LOG,"$logfile") || die "Unable to open $logfile";
my @log = <LOG>; # Read whole file into big array
close LOG;
chomp @log;
foreach (@log) {
if ( ! /.*snort*/ ) # If it ain't got the word snort in it...
{
next; # ...get me another line.
}
if (/spp_portscan: PORTSCAN DETECTED/) {
/(.*\s)(.*\s)(..:..:..\s)(.*).*\ssnort\[\d*\]:\sspp_portscan: PORTSCAN DETECTED from (\d+\.\d+\.\d+\.\d+)/;
# month day timeofday $4
#Apr 5 10:32:31 stahlw06 snort[3577]: spp_portscan: PORTSCAN DETECTED from 134.169.69.224
#Sep 17 22:36:08 clgr003753 snort[25392]: spp_portscan: PORTSCAN DETECTED from 210.172.128.20 (STEALTH)
$month = $1;
$day = $2;
$timeofday = $3;
$hour = $3;
$attack = "Portscan detected :";
$sourceip = $5;
# $sourceport = "";
$targetip = $4;
$targetport = "";
} elsif (/spp_portscan: End of portscan/) {
/(.*\s)(.*\s)(..:..:..\s)(.*).*\ssnort\[\d*\]:\sspp_portscan: End of portscan from (\d+\.\d+\.\d+\.\d+)/;
# month day timeofday $4
#Apr 5 10:32:57 stahlw06 snort[3577]: spp_portscan: End of portscan from 134.169.69.225
$month = $1;
$day = $2;
$timeofday = $3;
$hour = $3;
$attack = "End of portscan :";
$sourceip = $5;
$sourceport = "";
$targetip = $4;
$targetport = "";
} elsif (/spp_portscan: portscan status/) {
/(.*\s)(.*\s)(..:..:..\s)(.*)\ssnort\[\d*\]:\sspp_portscan: portscan status from (\d+\.\d+\.\d+\.\d+): (\d+ )connections across (\d+ )hosts: TCP\((\d+)\), UDP\((
\d+)\)/;
# month day timeofday $4 $5 $6 $7
$8
#Apr 5 10:32:39 stahlw06 snort[3577]: spp_portscan: portscan status from 134.169.69.224: 9 connections across 1 hosts: TCP(0), UDP(9)
$month = $1;
$day = $2;
$timeofday = $3;
$hour = $3;
$attack = "Portscan status :";
$sourceip = $5;
$sourceport = $6;
$targetip = $4;
$targetport = sprintf(":TCP \(%d\) UDP \(%d\)",$8,$9);
} else {
# normal regexp
/(.*\s)(.*\s)(.*:..:..\s).*\s(snort.*:\s)(.*:\s)(.*\d\s)(.*\s)(.*)/; # Pattern matching against each line read from logfile
# month day timeofday attack source target
# Variables extracted from pattern matching above.
$month = $1;
$day = $2;
$timeofday = $3;
$hour = $3;
$attack = $5;
$sourceip = $6;
$sourceport= $6;
$targetip = $8;
$targetport= $8;
}
# Get rid of unwanted characters
$attack =~ s/://;
$sourceip =~ s/:.*//;
$hour =~ s/:.*//;
if (!($sourceport =~ s/.*://)) {$sourceport = "-N/A-"};
$sourcehost=gethostbyaddr(inet_aton($sourceip), AF_INET);
$targetip=~ s/:.*//;
if (!($targetport =~ s/.*://)) {$targetport = "-N/A-"};
$targethost=gethostbyaddr(inet_aton($targetip), AF_INET);
$searchattack=$attack;
$searchattack=~ s/\s/+/g;
chop $searchattack;
&timecolor;
&generatehtmlbody # Generate body of HTML from data read from snortlog
}
&generatehtmlfooter; # Generate footer of HTML
chmod (0644, $outputfile); # Ensure that output file is world readable
#############################################################
####################Subroutines##############################
#############################################################
sub generatehtmlheader { #Deletes old HTML file, creates new ones, and writes headings.
unlink $outputfile;
open (HTML, ">$outputfile");
print HTML "<HTML>\n";
print HTML "<HEAD>\n";
print HTML "<TITLE>Hot dog! Jumping frog! Its an html2snort log! </TITLE>\n";
print HTML "</HEAD>\n";
print HTML "<BODY BGCOLOR=\"#AAAAAA\">\n";
print HTML "<H1 align=center>Snort log for $hostname</H1>\n";
print HTML "<TABLE border>\n";
print HTML "<TR>\n";
print HTML "<TH>Date</TH>\n";
print HTML "<TH>Time</TH>\n";
print HTML "<TH>Attack</TH>\n";
print HTML "<TH>Source Host</TH>\n";
print HTML "<TH>Source Port</TH>\n";
print HTML "<TH>Target Host</TH>\n";
print HTML "<TH>Target Port</TH>\n";
print HTML "</TR>\n";
}
sub timecolor { # Color code time of day according to daytime, evening, and nighttime.
my $result = int($hour/6);
if ($result == 0) {$hourcolor = "#000000"; }
elsif ($result < 3) {$hourcolor = "#EEEE00"; }
else {$hourcolor = "#FFCC00"; };
}
sub generatehtmlbody { # Writes fields to html file.
print HTML "<TR>\n";
print HTML "<TD><B>$month $day</B></TD>\n";
print HTML "<TD><B><FONT COLOR=\"$hourcolor\">$timeofday</font></B></TD>\n";
print HTML "<TD> \;<A href=\"http://dev.whitehats.com/cgi/arachNIDS/Search?search=$searchattack\">$attack</A></TD>\n";
print HTML "<TD> \;<A HREF=\"http://www.arin.net/cgi-bin/whois.pl?queryinput=$sourceip&B1=Submit\">", $sourcehost || $sourceip, "</A></TD>
\n";
if (($sourceport ne "-N/A-") && ($sourceport>61000) && ($sourceport<65096)) {
$sourceportcolor="#006600";
$MASQHOST=1;
}
else {$sourceportcolor="#000000";}
print HTML "<TD> \;<font color=\"$sourceportcolor\">$sourceport</font></TD>\n";
print HTML "<TD> \;", $targethost || $targetip, "</TD>\n";
print HTML "<TD> \;$targetport</TD>\n";
print HTML "</TR>\n";
}
sub generatehtmlfooter { # Writes end of HTML tags, and closes filehandle.
print HTML "</TABLE>\n";
if ( $MASQHOST ne "0" ) # Need to include masqsourceport explanation at end??
{
print HTML "<TABLE noborder><TR><TD WIDTH=4 ALIGN=left VALIGN=top BGCOLOR=\"#006600\"><font color= \"#006600\">DS</f
ont></TD>
<TD align=left>=Possible masquerading host.</TD></table>\n";
}
print HTML "<BR><HR>\n";
print HTML "This page generated from <A HREF=\"http://www.snort.org\">snort</A> logs on $time using
<A HREF=\"http://www.geocities.com/swan_daniel/snort2html.txt\">snort2html<\/A> 1.5 by <A HREF=\"mailto:swan_daniel\@hotmail.com\">Dan Swan<
/A>.<BR>\n";
print HTML "</BODY>\n";
print HTML "</HTML>\n";
close (HTML);
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed