[Snort-users] portscsan.log summary.

Phil Wood cpw at ...440...
Sat Jun 1 00:46:03 EDT 2002


On Sat, Jun 01, 2002 at 12:23:28PM +1000, Chris Keladis wrote:
> Afternoon folks,
> 
> I was wondering if anyone has something to crunch a portscan.log file
> and produce statistics of portscanning activity?

Attached is a perl script to turn the log into something I can deal with.
Then, a simple awk script to extract a few fields for summarization.

It goes like this.  First a little help:

A little help.

  % scan-msgs -h
  Usage: /data/pw/bin/scan-msgs [
  -M     extract Month and day
  -T     extract Time
  -S     extract Source Address
  -s     extract Source Port
  -D     extract Destinataion Address
  -d     extract Destination Port
  -X     extract Type
  -t <t> set the character to use to separate the data on output
   file(s)]
  
  Default behavior is to NOT print anything!
  %

  % scan-msgs -SsdX -t, < /tmp/scan > /tmp/scan.csv
  % wc -l /tmp/scan.csv
   720326 /tmp/scan.csv

The hostis with the mostis.

  % awk -F, '{print $1","$3","$4}' < /tmp/scan.csv | \
              uniq -c | sort -rn > /tmp/freq
  % wc -l /tmp/freq
      332 /tmp/freq
  % head /tmp/freq
   183117 66.27.122.247,1433,SYN ******S* 
   170329 61.140.188.183,1433,SYN ******S* 
    75244 64.227.176.144,21,SYN ******S* 
    65073 213.73.130.198,21,SYN ******S* 
    62497 149.169.200.13,6112,SYN ******S* 
    53597 62.62.191.76,21,SYN ******S* 
    48620 200.180.209.154,22,SYN ******S* 
    30857 202.178.185.119,515,SYN ******S* 
     9776 148.235.37.135,515,SYN ******S* 
     2090 66.75.219.99,27374,SYN ******S* 
  %

> 
> I dont get an alerts file because all my events go into a MySQL
> database, so i am only interested in something to crunch portscan.log.
> 
> HTML output would be nice if possible.
> 
> Just reaching out to see if there is something written already,
> otherwise i have a few ideas i'll follow up with.
> 
> 
> 
> 
> Thanks,
> 
> Chris.
> 
> _______________________________________________________________
> 
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...

-------------- next part --------------
#!/usr/bin/perl
# Copyright (C) 2002 Phil Wood 

# Program: scan-msgs
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
  
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
  
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

# Input format:
# Jul 14 16:25:29 211.42.97.41:109 -> 204.121.3.246:109 SYNFIN **SF**** 

require "getopts.pl";

@Usage = (
        "Usage: $0 [",
        "-M     extract Month and day",
        "-T     extract Time",
        "-S     extract Source Address",
        "-s     extract Source Port",
        "-D     extract Destinataion Address",
        "-d     extract Destination Port",
        "-X     extract Type",
        "-t <t> set the character to use to separate the data on output",
        " file(s)]",
        "",
        "Default behavior is to NOT print anything!",
        ""
);

$xxx = Getopts("MTSsDdXt:h");

if ($opt_h || "$xxx" eq "") {
        foreach (@Usage) {
          print "$_\n";
        }
        exit 0;
}
if ("$opt_t" eq "") { $opt_t = " ";}


while (<>) {
 chomp;
 ($file,$rest) = m/^(.*scan[log\.s]+):(.*)$/;
 if ( -f $file ) { $_ = $rest; }
 ($monthday, $time, $_) = m/^([A-Za-z0-9]+[\s]+[0-9]+)[\s]+([0-9:\.]+)[\s]+(.*)/;
 if (/:/) {
   ($src, $srcport, $dst, $dstport, $type) =
   m/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\s.*\s([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)[\s]+(.*)/;
 } else {
   ($src, $dst, $type) =
   m/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)[\s]+(.*)/;
 }
 $sep = "";
 if ($opt_M) { print "$sep$monthday";$sep = $opt_t;}
 if ($opt_T) { print "$sep$time";$sep = $opt_t;}
 if ($opt_S) { print "$sep$src";$sep = $opt_t;}
 if ($opt_s) { print "$sep$srcport";$sep = $opt_t;}
 if ($opt_D) { print "$sep$dst";$sep = $opt_t;}
 if ($opt_d) { print "$sep$dstport";$sep = $opt_t;}
 if ($opt_X) { print "$sep$type";$sep = $opt_t;}
 print "\n";
}


More information about the Snort-users mailing list