snort-shadow - two great tastes that go together

[Michael Aylor <maylor () swbanktx com>]

Dear Snort Community,

Well, I'm posting this code in the hopes it does someone somewhere some
good.  Most of you real programmers will probably scoff at it, but it has
worked well for me.  The point of this code is to cause snort to look at
Shadow Sensor tcpdump files that the sensor_driver.pl creates.  Its supposed
to be run as a cronjob after the sensor does its one hour tcpdump change
out.  I've configured my snort to write to a remote mysql database where I
run ACID (which is just about the neatest things since sliced bread).  Have
a look.  Let me know if you have questions/problems/comments.  My small
contribution to the open-source community....

Mike Aylor
maylor () swbanktx com

----BEGIN CODE----

#!/usr/bin/perl
# File=snortshadow.pl
# Snort File Grabber Script
# Fairly unsophisticated (my first perl script ever!) little program that
# is designed to run on a Shadow Sensor as a cronjob.  It will check the 
# current date and time, then subtract one hour from that, and try to find
the 
# Shadow tcp.YYYYMMDDHH.gz file correlating to that time.  It takes the
file, 
# decompresses it to another folder, runs snort against the tcpdump file,
then
# removes the decompressed file.  I wrote this as a means to automate having

# snort send alert messages to a mysql database off of shadow tcpdump files.
#
# To me, it just didn't make sense to have snort run as a seperate process
when 
# I already had a perfectly good Shadow tcpdump file right there.
#
# I'm well aware this script looks ugly, but its functional for the most
part.
# It's my hope that a real programmer will take this and write it better
(add
# more variables, some error checking, a debug log file, ya know, the good
stuff).
#
# I did put in some checking in case it tries to pull a file at midnight on
any
# given day or month.  I didn't bother putting in year checking, which means
that
# on January, 1 12:00am on the year 10000 AD, this script will fail
(depending on 
# what state Linux kernels are in eight thousand years from now).  I've only
tested
# it on RedHat 7.1.
#
# You are all welcome to adjust the script as you like and take credit for
the pieces
# you add, so long as you acknowledge me somewhere.  Otherwise, consider
this public 
# domain.
#
# Mike Aylor
# maylor () swbanktx com        


# Environment stuff.  Adjust the following 5 variables as you need.  It's
defaulted to 
# what a standard shadow sensor load out would be.  The Shadow Sensor must
already have
# snort and gunzip on it.  Also be sure to have already mkdir'd the
Snortlogpath folder.

# Path to Shadow Log Directory
 $Shadowlogpath = "/LOG/std";
 
# Path to Snort Log Directory (repository for soon to be created tcp.* and
gunzip'd files
 $Snortlogpath = "/LOG/snort";

# Path to Snort binary
 $Snortbinpath = "/usr/local/bin";

# Name of .conf file for snort (Usually snort.conf)
 $Snortconf = "snort.conf";

# Path to Snort .conf file selected above
 $Snortconfpath = "/etc/snort";


# This worked for me.  Hopefully it does for you.

 $dateyear = `date +%Y`;
 $datemonth = `date +%m`;
 $dateday = `date +%d`;
 $datehour = `date +%H`;

# Variables I tacked on when trying to get the date stuff sorted out.  You
shouldn't ever
# have to reference these.
# $dateyear = "2001\n";
# $datemonth = "05\n";
# $dateday = "07\n";
# $datehour = "00\n";

# This truncates the date variables, removing the carriage return from the
actual number.
chop($dateyear, $datemonth, $dateday, $datehour);

if (  $datehour == "00" ) {
        $datehourreal = "23";
        if ($datemonth == "02" || $datemonth == "04" || $datemonth == "06"
|| $datemonth == "08" || $datemonth == "10") {
                if ($dateday == "01") {
                        $datedayreal = "31";
                        $datemonthreal = $datemonth - 1;
                        $dateyearreal = $dateyear;
                } else {
                        $datedayreal = $dateday - 1;
                        $datemonthreal = $datemonth;
                        $dateyearreal = $dateyear;
                        if ($datedayreal < "10") {
                                $datedayreal = ("0$datedayreal");
                        }
                }
        }
        if ($datemonth == "05" || $datemonth == "07" || $datemonth == "09"
|| $datemonth == "11" || datemonth == "12") {
                if ($dateday == "01") {
                        $datedayreal = "30";
                        $datemonthreal = $datemonth - 1;
                        $dateyearreal = $dateyear;
                } else {
                        $datedayreal = $dateday - 1;
                  $datemonthreal = $datemonth;
                  $dateyearreal = $dateyear;
                        if ($datedayreal < "10") {
                                $datedayreal = ("0$datedayreal");
                        }
                }
        }
        if ($datemonth == "01") {
                if ($dateday == "01") {
                        $datedayreal = "31";
                        $datemonthreal = "12";
                        $dateyearreal = $dateyear - 1;
                }
        }
        if ($datemonth == "3") {
                if ($dateday == "01") {
                        $datedayreal = "28";
                        $datemonthreal = "02";
                        $dateyearreal = $dateyear;
                }
        }

} else {
        $dateyearreal = $dateyear;
        $datemonthreal = $datemonth;
        $datedayreal = $dateday;
        $datehourreal = $datehour - 1;
        if ($datehourreal < "10") {
                $datehourreal = ("0$datehourreal");
        }
}
#       if ($datemonthreal < 10) {
#               $datemonthreal = ("0$datemonthreal");
#               print("DateMonthReal: $datemonthreal \n");
#       }
#       if ($datedayreal < 10) {
#               $datedayreal = ("0$datedayreal");
#               print("DateDayReal: $datedayreal \n");
#       }
#       if ($datehourreal < 10) {
#               $datehourreal = ("0$datehourreal");
#       }

$datefile = "$dateyearreal$datemonthreal$datedayreal$datehourreal";
$tcpfile = "tcp.$datefile.gz";
$snortfile = "snort.$datefile.gz";
$snortgunzip = "snort.$datefile";

system("cp -u $Shadowlogpath/tcp.$datefile.gz
$Snortlogpath/snort.$datefile.gz");
system("gunzip --force $Snortlogpath/$snortfile");

# I put the sleep comment in because I had trouble running snort against
large files.
# This sleep may or may not really be needed.

system("sleep 3");

system("$Snortbinpath/snort -c $Snortconfpath/$Snortconf -r
$Snortlogpath/$snortgunzip");
system("rm $Snortlogpath/$snortgunzip -rf");



CONFIDENTIALITY NOTICE:

************************************************************************

The information contained in this ELECTRONIC MAIL transmission
is confidential.  It may also be privileged work product or proprietary
information. This information is intended for the exclusive use of the
addressee(s).  If you are not the intended recipient, you are hereby
notified that any use, disclosure, dissemination, distribution [other
than to the addressee(s)], copying or taking of any action because
of this information is strictly prohibited.

************************************************************************