#!/bin/sh # # David Marcoux # This script helps parse snort data logs # last updated 01 SEP 2004 ################################################################ ## ## You can edit these variables only ## ################################################################ datafilespec=snort.log inputFilesList=/tmp/tmpparser$$ ################################################################# # # Count the number of command parameters and display useage # information as necessary # if [ $# -lt 3 ]; then echo echo "Snort log parser. " echo " Usage: $ parser \"tcpdump filter\" [output dir] [input delimiter]" echo " " echo "Input delimiter can be be either " echo " -a Parse all data files from the current directory " echo " " echo " -d Specify a month or day delimiter (e.g. \"Jan\" or \"Feb 14\") " echo " Ex parser \"host 10.50.9.25\" mydir -d \"Feb 14\" " echo " " echo " -e Specify start & stop times in UNIX epoch format " echo " Ex parser \"net 10.50\" mydir -e 1074000000-1081000000 " echo " " echo " -h Specify hours back (from this moment) to examine " echo " Ex parser \"dst port 80\" mydir -h 48 " echo " " echo " -w Specify input files as a quoted wildcard value " echo " Ex parser \"port 80 or port 443\" mydir -w \"*105094*\" " echo " " exit fi ##################################################################### # # Create and initialize variables # tcpdumpfilter=$1 outputdir=$2 case "$3" in -a) echo "Building a list of files to parse..." ls -al | grep $datafilespec | awk '{ print $9 }' > $inputFilesList ;; -d) if [ $# -ne 4 ];then echo "Error: must specify date delimiter in quotes." exit fi echo "Building a list of files to parse..." ls -al | grep $datafilespec | grep "$4" \ | awk '{ print $9 }' > $inputFilesList ;; -e) if [ $# -ne 4 ];then echo "Error: must specify date epoch range." exit fi starttime=`echo $4 | cut -f1 -d -` endtime=`echo $4 | cut -f2 -d -` if [ $starttime -ge $endtime ]; then echo "Error: start time must be before end time." exit fi if [ `echo $starttime| wc -c | awk '{print $1}'` -ne 11 ]; then echo "Error: Start time is not 10 digits" exit fi if [ `echo $endtime| wc -c | awk '{print $1}'` -ne 11 ]; then echo "Error: End time not 10 digits" exit fi echo echo Start: $starttime echo Stop : $endtime echo echo "Building a list of files to parse..." while [ $starttime -lt $endtime ] do inLogFile=$datafilespec.$starttime if [ -f $inLogFile ];then echo $inLogFile >> $inputFilesList fi let "starttime += 1" done ;; -h) if [ $# -ne 4 ]; then echo "Error: must specify number of hours." exit fi timestampnow=`date +%s` hoursofhistory=$4 starttime=`expr $timestampnow - $hoursofhistory \* 3600` endtime=$timestampnow echo "Building a list of files to parse..." while [ $starttime -lt $endtime ] do inLogFile=$datafilespec.$starttime if [ -f $inLogFile ];then echo $inLogFile >> $inputFilesList fi let "starttime += 1" done ;; -w) if [ $# -ne 4 ]; then echo "Error: must specify file wildcard." fi echo "Building a list of files to parse..." ls -al $4 | awk '{ print $9 }' >> $inputFilesList ;; *) echo "Error: wrong parameter (must be -a -d -e -h or -w)." exit esac if [ ! -s $inputFilesList ];then echo "Error: No matching files found." exit fi mkdir $outputdir numFilesParsed=0 percentFilesRemain=0 percentFilesCompletedFlag=0 totalFilesToParse=`wc -l $inputFilesList | awk '{print $1}'` parseStartTime=`date '+%s'` cat $inputFilesList | while read inLogFile do outLogFile=$outputdir/$inLogFile if [ -s $inLogFile ]; then let "numFilesParsed += 1" # Do the actual work (tcpdump parsing) tcpdump -Xvr $inLogFile $tcpdumpfilter -w $outLogFile # Delete output files that are 24 bytes (contain no useful data) if [ -s $outLogFile ]; then outLogFileSize=`ls -al $outLogFile | awk '{ print $5 }' ` if [ $outLogFileSize -lt 25 ]; then rm $outLogFile fi fi let "cumulativeElapsedTime = `date '+%s'`-$parseStartTime" let "percentFilesCompleted = ($numFilesParsed * 100) / $totalFilesToParse" let "percentFilesRemain = 100 - $percentFilesCompleted" if [ $percentFilesCompleted -gt $percentFilesCompletedFlag ];then let "OnePercent = $cumulativeElapsedTime / $percentFilesCompleted" let "estTimeRemaining = ($OnePercent * $percentFilesRemain) / 60" percentFilesCompletedFlag=$percentFilesCompleted fi if [ $percentFilesCompleted -gt 3 ]; then echo "Parsed file ($numFilesParsed of $totalFilesToParse): $inLogFile ($estTimeRemaining mins remain)" else echo "Parsed file ($numFilesParsed of $totalFilesToParse): $inLogFile" fi else echo "Error reading file $inLogFile" fi done ###echo "Files parsed: `wc -l $inputFilesList | awk '{print $1}'` " rm $inputFilesList echo "Done."