From 895e1cb0ad04a555ed8506c44815b04542cfbf67 Mon Sep 17 00:00:00 2001 From: Mika Havela Date: Tue, 25 Dec 2007 16:21:12 +0000 Subject: Grouping the alarms in 1)Priority 2)Classification git-svn-id: svn://svn.alpinelinux.org/acf/snort/trunk@453 ab2d0c66-481e-0410-8bed-d214d4d58bed --- snort-model.lua | 115 +++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 114 insertions(+), 1 deletion(-) (limited to 'snort-model.lua') diff --git a/snort-model.lua b/snort-model.lua index f377a82..1746b1c 100644 --- a/snort-model.lua +++ b/snort-model.lua @@ -6,6 +6,55 @@ module (..., package.seeall) require("posix") require("fs") +-- START SORT ################################################################################ +--[[ +function __genOrderedIndex( t ) + local orderedIndex = {} + for key in pairs(t) do + table.insert( orderedIndex, key ) + end + table.sort( orderedIndex ) + return orderedIndex +end + +function orderedNext(t, state) + -- Equivalent of the next function, but returns the keys in the alphabetic + -- order. We use a temporary ordered key table that is stored in the + -- table being iterated. + + --print("orderedNext: state = "..tostring(state) ) + if state == nil then + -- the first time, generate the index + t.__orderedIndex = __genOrderedIndex( t ) + key = t.__orderedIndex[1] + return key, t[key] + end + -- fetch the next value + key = nil + for i = 1,table.getn(t.__orderedIndex) do + if t.__orderedIndex[i] == state then + key = t.__orderedIndex[i+1] + end + end + + if key then + return key, t[key] + end + + -- no more value to return, cleanup + t.__orderedIndex = nil + return +end + +function orderedPairs(t) + -- Equivalent of the pairs() function on tables. Allows to iterate + -- in order + return orderedNext, t, nil +end +--]] +-- END SORT ################################################################################ + + local function get_version() local cmd = "snort -V 2>&1 | grep Version | sed 's/.*ersion\ /snort-/'" local cmd_output = io.popen( cmd ) @@ -60,7 +109,7 @@ service_control = function ( self, srvcmd ) return retval end -read_alert = function () +xxxread_alert = function () local alertfile = "/var/log/snort/alert" local alerts = "" local fileresult = {} @@ -105,3 +154,67 @@ read_alert = function () return alerts,presentationtable end +read_alert = function () + local alertfile = "/var/log/snort/alert" + local alertcount = 0 + local alertpriority = {} + local alertprioritytmp = "" + local priority = "" + local classification = "" + local currid = "" + local prevrid = "" + local count = {} + local liboutput = fs.read_file_as_array(alertfile) + if (liboutput) then + for k,v in ipairs(liboutput) do + --DEBUG +-- if (k == 1) then break end + currid = string.match(v, "^.*%[%*%*%]%s*%[(%d+:%d+:%d+)%].*") + if (currid) then + local priority = string.match(liboutput[k+1],"^.*%[.*lassification:%s*.*%]%s*%[(.*)%]") or "Priority: Unknown" + local classification = string.match(liboutput[k+1],"^.*%[.*lassification:%s*(.*)%]%s*%[") or "Classification: Unknown" + if (alertpriority[priority] == nil) then + alertpriority[priority] = {} + end + if (alertpriority[priority][classification] == nil) then + alertpriority[priority][classification] = {} + end + alertpriority[priority][classification][currid] = {} + if (alertpriority[priority][classification][currid]["value"] == nil) then + alertpriority[priority][classification][currid]["value"] = {} + end + -- COUNTER + if not (count[priority..classification..currid]) then + count[priority..classification..currid] = 0 + end + count[priority..classification..currid] = count[priority..classification..currid] + 1 + alertpriority[priority][classification][currid]["count"] = count[priority..classification..currid] + for i=0, 10 do + local rowvalue = liboutput[k+i] + if (rowvalue == "") then + break + end + if (rowvalue) then + table.insert(alertpriority[priority][classification][currid]["value"],rowvalue) + end + end + alertcount = alertcount + 1 + end + end + end +--[[ +t = { + ['a'] = 'xxx', + ['b'] = 'xxx', + ['c'] = 'xxx', + ['d'] = 'xxx', + ['e'] = 'xxx', +} + + for key, val in orderedNext(t) do + t=key + end +--]] + return alertcount,alertpriority +end + -- cgit v1.2.3