[Snort-devel] snort_stat.pl patch for priority and class

Matthew Sachs matthewg at ...1991...
Wed May 21 06:12:02 EDT 2003


The attached patch to snort_stat.pl makes use of a rule's priority and 
class in organizing the report.  If any rules of priority 1 were 
matched, "*URGENT*" is prepended to the subject.  The attacks are also 
sorted by priority and class in the "Number of attack from same host 
to same destination using same method" summary.

-- 
Matthew Sachs   <matthewg at ...1991...>  <matthewg at ...1992...>
http://www.zevils.com/ * GPG key: 0x600A0342 * PGP key: 0x93EA1151
#The original nonstandard deviant# (((T^E)%(PQ))^D)%(PQ) = RSA-NOP
-------------- next part --------------
--- snort-2.0.0/contrib/snort_stat.pl	2003-05-20 10:07:20.000000000 -0400
+++ snort-2.0.0.patched/contrib/snort_stat.pl	2003-05-20 10:19:32.000000000 -0400
@@ -143,7 +143,7 @@
   # for the same pair of attacker and victim with same sig
   # to see the attack pattern
   # used in same_attack()
-  $s0{"$result[$i]->[9],$result[$i]->[7],$result[$i]->[6]"}++;
+  $s0{"$result[$i]->[9],$result[$i]->[7],$result[$i]->[6],$result[$i]->[11],$result[$i]->[12]"}++;
   # for the same pair of attacker and victim 
   # to see how many ways are being tried
   # used in same_host_dest()
@@ -186,13 +186,15 @@
 
 # print the header (e.g. for mail)
 sub print_head {
+  my $urgent = "";
+  $urgent = "*URGENT* " if grep {$_->[11] == 1} @result;
   if ($opt_h) {
     print "<html>\n<head>\n";
-    print "<title>Snort Statistics</title>";
+    print "<title>${urgent}Snort Statistics</title>";
     print "</head>\n<body>\n";
-    print "<h1>Snort Statistics</h1>\n";
+    print "<h1>${urgent}Snort Statistics</h1>\n";
   } else { 
-    print "Subject: snort daily report\n\n";
+    print "Subject: ${urgent}snort daily report\n\n";
   }
 }
 
@@ -242,23 +244,47 @@
 # to see the frequency of the attack from a certain pair of 
 # host and destination
 sub same_attack {
+  my $sortfunc = sub {
+    my @afields = split ",", $a;
+    my @bfields = split ",", $b;
+
+    $afields[3] <=> $bfields[3]
+                or
+    $afields[4] cmp $bfields[4]
+                or
+    $s0{$b} <=> $s0{$a}
+                or
+    $afields[1] cmp $bfields[1]
+                or
+    $afields[0] cmp $bfields[0]
+                or
+    $afields[2] cmp $bfields[2]
+  };
+  my @prev = (0, 0, 0, 0, "");
+
   if ($opt_h) {
     print "<h3><a name=\"same_hdm\">Number of attack from same host to same destination using same method</a></h3>\n";
     print "<table>\n";
     print "<tr><th># of attacks</th><th>from</th><th>to</th><th>with</th></tr>";
-    foreach $k (sort { $s0{$b} <=> $s0{$a} } keys %s0) { 
+    foreach $k (sort $sortfunc keys %s0) { 
       @_ = split ",",$k;
+      print "<tr><td colspan=\"4\"><strong>Priority $_[3]</strong></td></tr>\n" if $_[3] != $prev[3];
+      print "<tr><td colspan=\"4\"><strong>Type$_[4]</strong></td></tr>\n" if $_[3] != $prev[3] or $_[4] ne $prev[4];
       print "<tr><td>$s0{$k}</td><td>$_[1]</td><td>$_[0]</td>
              <td>".printHref($_[2])."</td></tr>\n" if $s0{$k} > $th;
+      @prev = @_;
     }
     print "</table><a href=\"#top\">Top</a><hr>\n";
   } else {
     section_header("The number of attacks from same host to same
 destination using same method\n", "asdm");
-    foreach $k (sort { $s0{$b} <=> $s0{$a} } keys %s0) { 
+    foreach $k (sort $sortfunc keys %s0) {
       @_ = split ",",$k;
+      printf("Priority $_[3]:\n") if $_[3] != $prev[3];
+      printf("  Type$_[4]:\n") if $_[3] != $prev[3] or $_[4] ne $prev[4];
       printf("   %-2d     %-${saddr_len}s   %-${daddr_len}s   %-20s\n",
 	     $s0{$k},$_[1],$_[0],$_[2]) if $s0{$k} > $th;
+      @prev = @_;
     }
   }
 }
@@ -509,7 +535,8 @@
     $self->{SIG} =~ s/\:$//o;
     push @result ,[$self->{MON},$self->{DAY},$self->{HOUR},$self->{MIN},
                    $self->{SEC},$self->{HOST},$self->{SIG},$self->{SADDR},
-                   $self->{SPORT},$self->{DADDR},$self->{DPORT}];
+                   $self->{SPORT},$self->{DADDR},$self->{DPORT},
+                   $self->{PRIORITY},$self->{CLASS}];
     $lastwassnort = 1;
   } else {
     print STDERR "Unknown alert type/plugin! $self->{TYPE}:$self->{PLUGIN} Skipped!\n";


More information about the Snort-devel mailing list