#!/usr/bin/perl -w # Snort2HTML 1.0 by Dan Swan, January 28, 00. # Special thanks to Martin Roesch for writing a friendly, kickass NIDS, # and to Max Vision for the use of his attack signatures database. # Distribute and modify freely, but give credit where credit is due! # INSTALLATION: Place this file in /usr/local/bin. To update webpage regularly, # paste the following quoted text into /etc/cron.hourly/snortupdate: # "/usr/local/bin/snort2html", and make sure both files are executable. # WARNING: You should consider placing this file into a password protected directory # on your web server, or simply not putting a link on your default page. # After all, do you really want strangers to be able to tell what shows up # (and what doesn't show up) in your logs? # TODO: -Display service on Target port # -More color coding of source port (suggestions welcome!) # -A cgi wrapper to update page when accessed. # -Dynamic sorting by clicking on column header. # -Command line flags to control formatting # Note: I am interested in any suggestions on improving the code, features # you'd like to see, or tips on making the output more lynx-freindly. # Please send them to swan_daniel@hotmail.com use Socket; use POSIX qw(strftime); use Sys::Hostname; $logfile="/var/log/secure"; # Change this variable to specify different logfile $hostname=hostname(); $outputfile="/home/httpd/html/snort2html.html"; # HTML file the log will be outputted to $MASQHOST=0; $time = strftime "%b %d at %H:%M", localtime; ############################## # Main # ############################## &generatehtmlheader; # Call funtion to generate HTML header open(LOG,"$logfile") || die "Unable to open $logfile"; while() { chomp(); if ( ! /.*snort*/ ) # If it ain't got the word snort in it... { next ; # ...get me another line. } /(.*\s[1-9]*)(\d+\s)(..:..:..\s)(.*:\s)(.*:\s)(.*\d\s)(.*\s)(.*)/; # Pattern matching against each line read from logfile # Variables extracted from pattern matching above. $month=$1; $day=$2; $timeofday=$3; $hour=$3; $attack=$5; $sourceip=$6; $sourceport=$6; $targetip=$8; $targetport=$8; # Get rid of unwanted characters $attack=~s/://; $sourceip=~ s/:.*//; $hour=~ s/:.*//; $sourceport=~ s/.*://; $sourcehost=gethostbyaddr(inet_aton($sourceip), AF_INET); $targetip=~ s/:.*//; $targetport=~ s/.*://; $targethost=gethostbyaddr(inet_aton($targetip), AF_INET); $searchattack=$attack; $searchattack=~ s/\s/+/g; chop $searchattack; &timecolor; &generatehtmlbody # Generate body of HTML from data read from snortlog } close(LOG); &generatehtmlfooter; # Generate footer of HTML ############################################################# ####################Subroutines############################## ############################################################# sub generatehtmlheader { #Deletes old HTML file, creates new ones, and writes headings. unlink $outputfile; open (HTML, ">$outputfile"); print HTML "\n"; print HTML "\n"; print HTML "Hot dog! Jumping frog! Its an html2snort log! \n"; print HTML "\n"; print HTML "\n"; print HTML "\n"; print HTML "\n"; print HTML "

Snort log for $hostname

\n"; print HTML "\n"; print HTML "\n"; print HTML "\n"; print HTML "\n"; print HTML "\n"; print HTML "\n"; print HTML "\n"; print HTML "\n"; print HTML "\n"; print HTML "\n"; } sub timecolor { # This could probabably be done with some fancy algorithm. # Suggestions welcome. if ($hour == "00") { $hourcolor = "#000000"; } elsif ($hour == "01") { $hourcolor = "#000000"; } elsif ($hour == "02") { $hourcolor = "#000000"; } elsif ($hour == "03") { $hourcolor = "#000000"; } elsif ($hour == "04") { $hourcolor = "#000000"; } elsif ($hour == "05") { $hourcolor = "#000000"; } elsif ($hour == "06") { $hourcolor = "#EEEE00"; } elsif ($hour == "07") { $hourcolor = "#EEEE00"; } elsif ($hour == "08") { $hourcolor = "#EEEE00"; } elsif ($hour == "09") { $hourcolor = "#EEEE00"; } elsif ($hour == "10") { $hourcolor = "#EEEE00"; } elsif ($hour == "11") { $hourcolor = "#EEEE00"; } elsif ($hour == "12") { $hourcolor = "#EEEE00"; } elsif ($hour == "13") { $hourcolor = "#EEEE00"; } elsif ($hour == "14") { $hourcolor = "#EEEE00"; } elsif ($hour == "15") { $hourcolor = "#EEEE00"; } elsif ($hour == "16") { $hourcolor = "#EEEE00"; } elsif ($hour == "17") { $hourcolor = "#EEEE00"; } elsif ($hour == "18") { $hourcolor = "#FFCC00"; } elsif ($hour == "19") { $hourcolor = "#FFCC00"; } elsif ($hour == "20") { $hourcolor = "#FFCC00"; } elsif ($hour == "21") { $hourcolor = "#FFCC00"; } elsif ($hour == "22") { $hourcolor = "#FFCC00"; } elsif ($hour == "23") { $hourcolor = "#FFCC00"; } } sub generatehtmlbody { # Writes fields to html file. print HTML "\n"; print HTML "\n"; print HTML "\n"; print HTML "\n"; print HTML "\n"; if (($sourceport>61000) && ($sourceport<65096)) { $sourceportcolor="#00BB00"; $MASQHOST=1; } else {$sourceportcolor="#000000";} print HTML "\n"; print HTML "\n"; print HTML "\n"; print HTML "\n"; } sub generatehtmlfooter { # Writes end of HTML tags, and closes filehandle. print HTML "

Date	Time	Attack	Source Host	Source Port	Target Host	Target Port
$month $day	$timeofday	\;$a ttack	\;", $sourcehost \|\| $sourceip, "	\;$sourceport	\;", $targethost \|\| $targetip, "	\;$targetport

\n"; if ( $MASQHOST ne "0" ) # Need to include linuxsourport exp at end?? { print HTML "

DS	=Possible linux masquerading host.

\n"; } print HTML "

\n"; print HTML "This page generated from snort logs on $time using snort2html by Dan Swan.
\n"; print HTML "\n"; print HTML "\n"; close (HTML); }