-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSnort.rb
115 lines (81 loc) · 2.68 KB
/
Snort.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
require 'Log'
class Snort<Log
def get_filepath
return @@filepath
end
# Analyse a log entry
# ..parse it and alert
def analysis( entry )
lines=entry.split(/\n/)
alert_msg = get_snort_title( lines[0] )
alert_clasif = get_snort_clasif( lines[1] )
alert_scip = get_snort_source_ip( lines[2] )
display_msg = "+ #{alert_msg}\n"
display_msg+= "+ #{alert_clasif[0]}\n" if alert_clasif[0]
display_msg+= "+ Priority: #{alert_clasif[1]}\n"
display_msg+= "+ Source: #{alert_scip}\n"
display_cli("Snort Alert",display_msg)
display_gui("Snort Alert",display_msg)
end
# function trigered when the log file is modified
def log_moddified
tmp=get_difference()
if tmp.size > 10
display_cli("Snort Alert","Multiple snort log entries. Please see the log file")
display_gui("Snort Alert","Multiple snort log entries. Please see the log file")
return
end
tmp.each { |entry|
analysis( entry)
}
end
# Returns an array constisting of
# ... the new entries in the log file
def get_difference()
aux=[]
inc=0
@@file.seek(@@last_eof,IO::SEEK_SET)
@@file.each { |line|
if line == "\n"
inc+=1
else
aux[inc] = ( aux[inc]==nil ? line : aux[inc]+=line )
end
}
@@last_eof=@@current_eof
return aux
end
# Parses a snort log using regex
# Pattern of the log line:
# ..."[**] [1:100000160:2] message_of_the_title [**]"
def get_snort_title(strx)
#NOTE TO __SELF__
#apperently, drinking beers and writing regexp
#..does not go hand-in-hand
aux = strx.scan(/\[\*\*\] [\d\:\[\]]+ ([a-zA-Z\s\/\(\)\d\>\_\:\-\.\*]+) \[\*\*\]/)
return aux[0][0]
end
# Parses a snort log using regex
# Pattern of the log line:
# ..."[Classification: Attempted Denial of Service] [Priority: 2]"
# will return aux :0 => "classif_msg", :1 => "priority_no"
#Later edit: some logs do not have classification. Nill shall be returned
def get_snort_clasif(strx)
aux = strx.scan(/\[Classification\: ([a-zA-Z\s]+)\] \[Priority\: (\d+)\] /)
if aux == [] #the case in Later Edit
return [nil, strx.scan(/\[Priority\: (\d+)\] /)[0][0] ]
else
return aux[0]
end
end
# Parses a snort log using regex
# Pattern of the log line:
# ..."05/24-05:18:48.990878 source_ip+port -> dest_ip+port"
def get_snort_source_ip(strx)
#NOTE TO __SELF__
#apperently, drinking beers and writing regexp
#..does not go hand-in-hand
aux = strx.scan(/[\d\/\-\:\.]+ ([\d\.\:]+) \-\> [\d\.\:]+/)
return aux[0][0]
end
end