Sorting...

Hi everbody,

I'm working on the security of a network. I have a program that gives
me the following output file about the attacks:
[**] [122:1:0] (portscan) TCP Portscan [**]
03/05-22:01:50.495251 200.159.212.117 -> 192.168.123.179
PROTO255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:168 DF

[**] [122:17:0] (portscan) UDP Portscan [**]
03/05-22:04:55.963641 85.181.42.174 -> 192.168.123.179
PROTO255 TTL:0 TOS:0xC0 ID:21124 IpLen:20 DgmLen:171

[**] [1:1384:9] MISC UPnP malformed advertisement [**]
[Classification: Misc Attack] [Priority: 2]
03/05-22:05:09.030411 192.168.123.254:4727 -> 239.255.255.250:1900
UDP TTL:64 TOS:0x0 ID:24964 IpLen:20 DgmLen:298
Len: 270

[**] [1:1384:9] MISC UPnP malformed advertisement [**]
[Classification: Misc Attack] [Priority: 2]
03/05-22:12:16.895809 192.168.123.144:1900 -> 239.255.255.250:1900
UDP TTL:1 TOS:0x0 ID:58105 IpLen:20 DgmLen:445
Len: 417

[**] [122:20:0] (portscan) UDP Distributed Portscan [**]
03/05-22:12:33.014478 192.168.123.132 -> 192.168.123.179
PROTO255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:169 DF

The problem is that it can have more than 500 alerts. So I would like
a script to do some statistics on it. The statistics can be by types
of attacks (just the sequence number after the stars and before the
text describing the type of attack), by IP addresses/port number or by
date and time.
As I don't know how to program in shell I'm completely lost.
Does anybody have a solution at least for one of the three separations
and explain me how to do the rest.
It would be so great !!


Thanks a lot.
Clement

Re: Sorting...

Clement wrote:
> Hi everbody,
>
> I'm working on the security of a network. I have a program that gives
> me the following output file about the attacks:
> [**] [122:1:0] (portscan) TCP Portscan [**]
> 03/05-22:01:50.495251 200.159.212.117 -> 192.168.123.179
> PROTO255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:168 DF
>
> [**] [122:17:0] (portscan) UDP Portscan [**]
> 03/05-22:04:55.963641 85.181.42.174 -> 192.168.123.179
> PROTO255 TTL:0 TOS:0xC0 ID:21124 IpLen:20 DgmLen:171
>
> [**] [1:1384:9] MISC UPnP malformed advertisement [**]
> [Classification: Misc Attack] [Priority: 2]
> 03/05-22:05:09.030411 192.168.123.254:4727 -> 239.255.255.250:1900
> UDP TTL:64 TOS:0x0 ID:24964 IpLen:20 DgmLen:298
> Len: 270
>
> [**] [1:1384:9] MISC UPnP malformed advertisement [**]
> [Classification: Misc Attack] [Priority: 2]
> 03/05-22:12:16.895809 192.168.123.144:1900 -> 239.255.255.250:1900
> UDP TTL:1 TOS:0x0 ID:58105 IpLen:20 DgmLen:445
> Len: 417
>
> [**] [122:20:0] (portscan) UDP Distributed Portscan [**]
> 03/05-22:12:33.014478 192.168.123.132 -> 192.168.123.179
> PROTO255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:169 DF
>
> The problem is that it can have more than 500 alerts. So I would like
> a script to do some statistics on it. The statistics can be by types
> of attacks (just the sequence number after the stars and before the
> text describing the type of attack), by IP addresses/port number or by
> date and time.

I assume that the above posted data has line breaks as shown, i.e. blocks
of record consisting of 3-5 lines separated by an empty line.

It is not clear what output you expect but try the folowing code...

awk -f sec_stat.awk your_data_file

where the file sec_stat.awk contains the following program...

BEGIN { RS = "" }
{
match ($0, /\[[0-9]+:[0-9]+:[0-9]+\]/)
a1[substr($0, RSTART, RLENGTH)]++

match ($0, /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+(:[0-9]+)?/)
a2[substr($0, RSTART, RLENGTH)]++

match ($0, /[0-9]+\/[0-9]+-[0-9]+:[0-9]+/)
a3[substr($0, RSTART, RLENGTH)]++
}
END {
for (i in a1) print i, a1[i]
for (i in a2) print i, a2[i]
for (i in a3) print i, a3[i]
}

With your data you will get this output...

[122:1:0] 1
[1:1384:9] 2
[122:17:0] 1
[122:20:0] 1
85.181.42.174 1
192.168.123.144:1900 1
192.168.123.132 1
192.168.123.254:4727 1
200.159.212.117 1
03/05-22:01 1
03/05-22:12 2
03/05-22:04 1
03/05-22:05 1


Janis

> As I don't know how to program in shell I'm completely lost.
> Does anybody have a solution at least for one of the three separations
> and explain me how to do the rest.
> It would be so great !!
>
>
> Thanks a lot.
> Clement
>

Re: Sorting...

On Wed, 06 Jun 2007 16:29:51 -0000, Clement
wrote:
>
>
> Hi everbody,
>
>
> The problem is that it can have more than 500 alerts. So I would like
> a script to do some statistics on it. The statistics can be by types
> of attacks (just the sequence number after the stars and before the
> text describing the type of attack), by IP addresses/port number or by
> date and time.
> As I don't know how to program in shell I'm completely lost.
> Does anybody have a solution at least for one of the three separations
> and explain me how to do the rest.
> It would be so great !!
>
Read about associative arrays in awk or perl.


--
How kind of you to be willing to live someone's life for them.