[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] ossec-hids: ossectop.pl (NEW) [meirm]

To: dancid@xxxxxxxxxxxxxxx
Subject: [ossec-dev] ossec-hids: ossectop.pl (NEW) [meirm]
From: OSSEC CVS <cvs-commit@xxxxxxxxx>
Date: Mon, 11 Sep 2006 00:20:00 -0300 (ADT)
Content-transfer-encoding: 8bit


Module name:	ossec-hids
Changes by:	meirm	06/09/11 00:19:58

Added files:
	ossectop.pl

Log message:
Description: Ossec alert listing tool
Reviewed by: Meir Michanie
Bug: to be written

--- NEW FILE: ossectop.pl ---
#!/usr/bin/perl -w
#use strict;
use Socket;
use POSIX 'setsid';
# ---------------------------------------------------------------------------
# Author: Meir Michanie (meirm@xxxxxxxxx)
# File: ossectop.pl
# Version 0.1 (09/2006)
# ---------------------------------------------------------------------------
# http://www.riunx.com/
# ---------------------------------------------------------------------------
#
# ---------------------------------------------------------------------------
# About this script
# ---------------------------------------------------------------------------
#
# "Ossec to Mysql" records the OSSEC HIDS alert logs in MySQL database.
# It can run as a daemon (ossec2mysqld.pl), recording in real-time the logs in database or
# as a simple script (ossec2mysql.pl).
#
# ---------------------------------------------------------------------------
# Prerequisites
# ---------------------------------------------------------------------------
#
# MySQL Server
# Perl DBD::mysql module
# Perl DBI module
#
# ---------------------------------------------------------------------------
# Installation steps
# ---------------------------------------------------------------------------
# 
# 1) Create new database
# 2a) Run ossec2mysql.sql to create MySQL tables in your database
# 2b) Create BASE tables with snort tables extention
# 3) Create a user to access the database;
# 4) Copy ossec2mysql.conf to /etc/ossec2mysql.conf with 0600 permissions
# 3) Edit /etc/ossec2mysql.conf according to your configuration:
#	dbhost=localhost
#	database=ossecbase
#	debug=5
#	dbport=3306
#	dbpasswd=mypassword
#	dbuser=ossecuser
#	daemonize=0
#	resolve=1
#	
#
# ---------------------------------------------------------------------------
# License
# ---------------------------------------------------------------------------
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
#
# ---------------------------------------------------------------------------
# About OSSEC HIDS
# ---------------------------------------------------------------------------
#
# OSSEC HIDS is an Open Source Host-based Intrusion Detection System.
# It performs log analysis and correlation, integrity checking,
# rootkit detection, time-based alerting and active response.
# http://www.ossec.net
#
# ---------------------------------------------------------------------------

# ---------------------------------------------------------------------------
# Parameters
# ---------------------------------------------------------------------------
$SIG{TERM} = sub { &gracefulend('TERM')};
$SIG{INT} = sub { &gracefulend('INT')};

my %conf;
$conf{resolve}=1;


my($OCT) = '(?:25[012345]|2[0-4]\d|1?\d\d?)';

my($IP) = $OCT . '\.' . $OCT . '\.' . $OCT . '\.' . $OCT;

my $VERSION="0.1";
my $sig_class_id=1;
my $dump=0;
my ($hids_id,$hids,$hids_interface,$last_cid)=(undef, 'localhost', 'ossec',0);
my ($tempvar,$VERBOSE)=(0,0);
# ---------------------------------------------------------------------------
#  Arguments parsing
# ---------------------------------------------------------------------------
 
while (@ARGV){
        $_= shift @ARGV;
	if ( m/^-h$|^--help$/){
                &help();
	}elsif ( m/^-n$|^--noname$/){
                $conf{'resolve'}=0;
	}
}


my $newrecord=0;
my %stats;
my %resolv;
my ($timestamp,$sec,$mail,$date,$alerthost,$alerthostip,$datasource,$rule,$level,$description,
	$srcip,$dstip,$user,$text)=();
my $lasttimestamp=0;
my $delta=0;
########################################################
my $datepath=`date "+%Y/%b/ossec-alerts-%d.log"`;
my $LOG='/var/ossec/logs/alerts/'. $datepath;
chomp $LOG;
$date='';
format TOPREPORT =
 ==========================================================================================================================
|                                                  OSSEC-HIDS TOP                                                          |
 ==========================================================================================================================
| Alert  |  Date                 | SRC          | DST          | LVL | Name                                                |
 ==========================================================================================================================

Prev by Date: [ossec-dev] ossec-hids: ossec2mysql.conf (HEAD) ossec2mysql.pl (HEAD) ossec2mysqld.pl (HEAD) ossecmysql.pm (HEAD) [meirm]
Next by Date: [ossec-dev] Re: new proto tool
Previous by thread: [ossec-dev] ossec-hids: ossec2mysql.conf (HEAD) ossec2mysql.pl (HEAD) ossec2mysqld.pl (HEAD) ossecmysql.pm (HEAD) [meirm]
Next by thread: [ossec-dev] ossec-hids: ar-forward.c (HEAD) manager.c (HEAD) syslog.c (HEAD) syslogtcp.c (HEAD) [dcid]
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.