#!/usr/bin/perl -WT # ########################################################### # # Snort.cgi v2.0 # by dlm21 # decker@n3t.net # http://www.n3t.net # ########################################################## # # Perl script to format Snort 1.6.X IDS logs (w/ -fast logging) # # Make sure you 'chmod 4755 snort.cgi' (suid) so it can read the log files... # # *** NOTE *** Making a cgi script suid root is VERY DANGEROUS # USE AT YOU OWN DISCRETION !!!! # While I've kept security in mind as a top priority, # I'm not infallable... # It would be a good idea to keep this in a .htaccess # protected directory at the very least... # ########################################################## # # Variables ########### # Location of the snort.alert log file $log="/var/log/snort/snort.alert"; # # The WWW server's IP address $myip="24.2.17.123"; # # Nameservers (they can make a lot of noise if your ruleset is misconfigured) $nameserver1 = "24.2.15.15"; $nameserver2 = "24.2.15.17"; # # Font color of the Detailed Info $dtc = ""; # # Generic catch for when the src_port or dst_port is not logged $srcport = "?"; $dstport = "?"; # ########################################################## # You shouldn't need to configure anthing below this line ########################################################## $ENV{PATH} = join ':' => split (" ", << '__EOPATH__'); /home/apache/cgi-bin/ __EOPATH__ print "Content-type: text/html\n\n"; $buffer = $ENV{'QUERY_STRING'}; @pairs = split(/&/, $buffer); foreach $pair (@pairs) { ($name, $value) = split(/=/, $pair); $value =~ tr/+/ /; $value =~ tr/\0//; $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; $value =~ s/~!/ ~!/g; $value =~ s/<([^>]|\n)*>//g; $value =~ s/([;<>\*\|`&\$!#\(\)\[\]\{\}:'"\n])/\\$1/g; $FORM{$name} = $value; } $action = $FORM{'action'}; if($action eq '') { open (STUFF, "<$log") or die print("Unable to open the data file"); @data=; close(STUFF); print <<"_HTML_"; n3t.net Snort Log Analyser (by dlm21)
Snort Logs for n3t.net

_HTML_ ; foreach $data(@data) { if(($data =~ /$nameserver1/) || ($data =~ /$nameserver2/)) { $data = ""; } elsif($data =~ /logfile turned over/) { ($m, $bs, $d, $tiempo, $bs) = split(/ /, $data, 5); print "\n"; } elsif($data =~ /portscan status/) { $data =""; } else { $data =~ s/\[\*\*\]//ig; $data =~ s/spp\_portscan\://ig; $data =~ s/\.[0-9]+[0-9]+[0-9]+[0-9]+[0-9]+[0-9]//ig; $data =~ s/\-/ /ig; $data =~ s/\>/\-\>/ig; $data =~ s/PORTSCAN DETECTED/Portscan Detected/g; $data =~ s/ / /ig; $data =~ s/ / /ig; ($date, $time, $attempt) = split(/ /, $data, 3); $at2 = $attempt; $at2 =~ s/$myip//ig; $at2 =~ s/^.*?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*?$/$1/; $at2 =~ s/\n//ig; if($attempt =~ $myip) { $attempt =~ s/$myip/\$myip\<\/b\>/ig; } print "\n"; } } print <<"_HTML2_";
DATE TIME INTRUSION ATTEMPT INFORMATION
   
$m $d$tiempo
-=-=-=-=-=-=-=-=- Snort Log File Rotated -=-=-=-=-=-=-=-=-
$date$time$attempt"; print " Get details on $at2 <\/font><\/a>
   
by decker  
Download at http://www.n3t.net/downloads/snort.txt © 2000 Neolight Technologies
_HTML2_ ; } elsif($FORM{'action'} eq 'getdetail') { $addy = $FORM{'addy'}; $addy =~ s/\.\./BAD INPUT/ig; if(($addy =~ /[\[\;\>\<\&\*\%\$\\\/\^\$\(\)\`\|\]\']/) || ($addy !~ m/^.*?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*?$/)) { print "Bad Input\n"; print "Sorry, you can only use 0-9 and .
\n"; print "You entered something besides that.
\n"; print "Try again, legitimately this time...
\n"; print "snort.cgi"; print "\n"; print "\n"; exit; } # DANGEROUS !!! ( GLOB is bad, but simple ;p ) # @files = glob("/var/log/snort/$addy/*"); $logdir = "/var/log/snort/$addy/"; opendir LOGDIR,$logdir; @files = readdir(LOGDIR); closedir LOGDIR; print <<"_HTML_"; Detail attack info for $addy
Detailed Attack Information concerning $addy

_HTML_ ; # No reason to have this ... # print "
 
 
Relevant log files for $addy : @files <\/td><\/tr> foreach $filename (@files) { if(($filename ne ".") || ($filename ne "..")) { open(FILEN, "<$logdir$filename"); @info = ; close(FILEN); foreach $infoline (@info) { if($infoline =~ /\[\*\*\]/) { $infoline =~ s/\[\*\*\]//g; $infoline =~ s/$infoline/Attack Description :<\/b>$dtc $infoline <\/font>/; } if($infoline =~ m/(\d{1,2}\/\d{1,2})/) { ($date2, $attacker, $bs, $meme) = split(/ /,$infoline, 4); ($dayofmonth, $time2) = split(/-/,$date2, 2); if($time2 =~ /\./) { ($time2, $bs) = split(/\./,$time2,2); } ($hr, $min, $sec) = split(/:/,$time2,3); if($hr > 12) { $hr = $hr - 12; $pam = 1; } if($attacker =~ /:/) { ($attacker, $srcport) = split(/:/,$attacker,2); } if($meme =~ /:/) { ($meme, $dstport) = split(/:/,$meme,2); } print "
Date : $dtc $dayofmonth <\/font><\/td><\/tr>\n"; if($pam == 1) { print "
Time :$dtc $hr : $min : $sec PM <\/font><\/td><\/tr>\n"; } if($pam == 0) { print "
Time :$dtc $hr : $min : $sec AM <\/font><\/td><\/tr>\n"; } if($srcport eq "") { $srcport = "?"; } if($dstport eq "") { $dstport = "?"; } print "
Attacker\'s IP : $dtc$attacker <\/font>          Source Port :$dtc $srcport<\/font><\/td><\/tr>\n"; print "
Target\'s IP : $dtc $meme <\/font>             Destination Port : $dtc $dstport<\/font><\/td><\/tr>\n"; } elsif($infoline =~ /TOS/) { ($protocol, $ttl, $tos, $id) = split(/ /,$infoline,4); ($bs, $ttl) = split(/:/,$ttl,2); ($bs, $tos) = split(/:/,$tos,2); ($bs, $id) = split(/:/,$id,2); print "
Protocol :$dtc $protocol<\/font><\/td><\/tr>\n "; print "
Time to Live :$dtc $ttl <\/font><\/td><\/tr>\n "; print "
Type of Service :$dtc $tos<\/font><\/td><\/tr>\n"; print "
Packet ID :$dtc $id<\/font><\/td><\/tr>\n"; } elsif($infoline =~ /\+=\+=\+=\+=/) { print "
 <\/td><\/tr>"; } else { print "
Misc Info :<\/b> $dtc $infoline <\/font> <\/td><\/tr>"; } }}} print <<"_HTML2_";
End of Detailed Attack Info
 
 
\n"; print "\n"; print "\n"; _HTML2_ ; exit; } exit;