diff options
author | Mika Havela <mika.havela@gmail.com> | 2007-12-25 16:21:12 +0000 |
---|---|---|
committer | Mika Havela <mika.havela@gmail.com> | 2007-12-25 16:21:12 +0000 |
commit | 895e1cb0ad04a555ed8506c44815b04542cfbf67 (patch) | |
tree | e5e6ac58a98610c92bb5aab446bf9490191eb464 | |
parent | b9bbde3d9013b7ed4d73421bfffb79f4d963e528 (diff) | |
download | acf-snort-895e1cb0ad04a555ed8506c44815b04542cfbf67.tar.bz2 acf-snort-895e1cb0ad04a555ed8506c44815b04542cfbf67.tar.xz |
Grouping the alarms in 1)Priority 2)Classification
git-svn-id: svn://svn.alpinelinux.org/acf/snort/trunk@453 ab2d0c66-481e-0410-8bed-d214d4d58bed
-rw-r--r-- | snort-model.lua | 115 | ||||
-rw-r--r-- | snort-read-html.lsp | 31 |
2 files changed, 130 insertions, 16 deletions
diff --git a/snort-model.lua b/snort-model.lua index f377a82..1746b1c 100644 --- a/snort-model.lua +++ b/snort-model.lua @@ -6,6 +6,55 @@ module (..., package.seeall) require("posix") require("fs") +-- START SORT ################################################################################ +--[[ +function __genOrderedIndex( t ) + local orderedIndex = {} + for key in pairs(t) do + table.insert( orderedIndex, key ) + end + table.sort( orderedIndex ) + return orderedIndex +end + +function orderedNext(t, state) + -- Equivalent of the next function, but returns the keys in the alphabetic + -- order. We use a temporary ordered key table that is stored in the + -- table being iterated. + + --print("orderedNext: state = "..tostring(state) ) + if state == nil then + -- the first time, generate the index + t.__orderedIndex = __genOrderedIndex( t ) + key = t.__orderedIndex[1] + return key, t[key] + end + -- fetch the next value + key = nil + for i = 1,table.getn(t.__orderedIndex) do + if t.__orderedIndex[i] == state then + key = t.__orderedIndex[i+1] + end + end + + if key then + return key, t[key] + end + + -- no more value to return, cleanup + t.__orderedIndex = nil + return +end + +function orderedPairs(t) + -- Equivalent of the pairs() function on tables. Allows to iterate + -- in order + return orderedNext, t, nil +end +--]] +-- END SORT ################################################################################ + + local function get_version() local cmd = "snort -V 2>&1 | grep Version | sed 's/.*ersion\ /snort-/'" local cmd_output = io.popen( cmd ) @@ -60,7 +109,7 @@ service_control = function ( self, srvcmd ) return retval end -read_alert = function () +xxxread_alert = function () local alertfile = "/var/log/snort/alert" local alerts = "" local fileresult = {} @@ -105,3 +154,67 @@ read_alert = function () return alerts,presentationtable end +read_alert = function () + local alertfile = "/var/log/snort/alert" + local alertcount = 0 + local alertpriority = {} + local alertprioritytmp = "" + local priority = "" + local classification = "" + local currid = "" + local prevrid = "" + local count = {} + local liboutput = fs.read_file_as_array(alertfile) + if (liboutput) then + for k,v in ipairs(liboutput) do + --DEBUG +-- if (k == 1) then break end + currid = string.match(v, "^.*%[%*%*%]%s*%[(%d+:%d+:%d+)%].*") + if (currid) then + local priority = string.match(liboutput[k+1],"^.*%[.*lassification:%s*.*%]%s*%[(.*)%]") or "Priority: Unknown" + local classification = string.match(liboutput[k+1],"^.*%[.*lassification:%s*(.*)%]%s*%[") or "Classification: Unknown" + if (alertpriority[priority] == nil) then + alertpriority[priority] = {} + end + if (alertpriority[priority][classification] == nil) then + alertpriority[priority][classification] = {} + end + alertpriority[priority][classification][currid] = {} + if (alertpriority[priority][classification][currid]["value"] == nil) then + alertpriority[priority][classification][currid]["value"] = {} + end + -- COUNTER + if not (count[priority..classification..currid]) then + count[priority..classification..currid] = 0 + end + count[priority..classification..currid] = count[priority..classification..currid] + 1 + alertpriority[priority][classification][currid]["count"] = count[priority..classification..currid] + for i=0, 10 do + local rowvalue = liboutput[k+i] + if (rowvalue == "") then + break + end + if (rowvalue) then + table.insert(alertpriority[priority][classification][currid]["value"],rowvalue) + end + end + alertcount = alertcount + 1 + end + end + end +--[[ +t = { + ['a'] = 'xxx', + ['b'] = 'xxx', + ['c'] = 'xxx', + ['d'] = 'xxx', + ['e'] = 'xxx', +} + + for key, val in orderedNext(t) do + t=key + end +--]] + return alertcount,alertpriority +end + diff --git a/snort-read-html.lsp b/snort-read-html.lsp index 5b10a4f..8b53971 100644 --- a/snort-read-html.lsp +++ b/snort-read-html.lsp @@ -1,6 +1,4 @@ <? local view = ... ?> -<html> -<body> <h1>SYSTEM INFO</h1> <dt>Program version</dt> <dd><?= view.status.version ?></dd> @@ -17,23 +15,28 @@ <dd><pre><?= view.srvcmdresult ?></pre></dd> <? end ?> - <h1>ALERT(S)</h1> <dt>Status</dt> <dd><?= view.alerts ?> alert(s)</dd> -<? if (alerts ~= "0") then ?> -<? for i = 1, view.alerts do ?> - <h2><?= view.alertresult[i].priority ?></h2> - <h3><?= view.alertresult[i].classification ?></h3> - <P><B><?= view.alertresult[i][1] ?></B><BR> - <? for j = 2, 10 do ?> - <? if not (view.alertresult[i][j]) then break end ?> - <?= view.alertresult[i][j] ?><BR> +<? ---[[ ?> +<? for i in pairs(view.alertresult) do ?> + <h2><?= i ?></h2> + <? for j in pairs(view.alertresult[i]) do ?> + <h3><?= j ?></h3> + <? for k in pairs(view.alertresult[i][j]) do ?> + <p><B><?= view.alertresult[i][j][k]["value"][1] ?></B><BR> + <? for l=2, table.maxn(view.alertresult[i][j][k]["value"]) do ?> + <?= view.alertresult[i][j][k]["value"][l] ?><BR> + <? end ?> + <I>(This alarm is repeated <B><?= view.alertresult[i][j][k]["count"] ?></B> times)</I></p> <? end ?> - <I>(This alarm is repeated <B><?= view.alertresult[i]["count"] ?></B> times)</I></P> -<? end ?> + + <? end ?> <? end ?> +<? --]] ?> + + <? --[[ DEBUG INFORMATION @@ -42,5 +45,3 @@ io.write(debugs.variables(view)) --]] ?> -</body> -</html> |