ChipMaster
/
Poor-Mans-IDS
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The Poor Man's (or Woman's) Intrusion Detection System
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
21 Commits
1 Branch
133 KiB
 
 
 
 
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
Poor-Mans-IDS/trafficmon/badtrafficrpt.cpp

242 lines
6.9 KiB
Raw Permalink Blame History 

  1. //////////////////////////////////////////////////////////////////////

  2. // Basic Access Log report

  3. // Written by Jonathan A. Foster <jon@jfpossibilities.com>

  4. // Started August 20th, 2021

  5. // Copyright JF Possibilities, Inc. All rights reserved.

  6. //

  7. // To start with this gather data for a specific access period and

  8. // create a report of domain names and addresses that accessed to and

  9. // from the net. All "accepted" and "blocked" accesses will be

  10. // ignored. For the moment we're expecting blocked traffic is actually

  11. // blocked.

  12. //

  13. // The report will contain three columns:

  14. //   1. domain name or address if a domain is not known.

  15. //   2. list of ports that were connected to.

  16. //   3. count of total connections

  17. //

  18. // 20240319 <jon@jfpossibilities.com>

  19. //   Implemented "ignores" in the report. These use the ignore section

  20. //   used by trafficrpt. But there are some oddities (so far). All

  21. //   report entries are considered to be TCP connections originating

  22. //   from 0.0.0.0 and outbound. This is a cheat to prevent

  23. //   complication in the query process. Its tempting to implement this

  24. //   in trafficmon... but that is a permanent loss of data... still

  25. //   debating.

  26. //////////////////////////////////////////////////////////////////////

  27. #include  <string>

  28. #include  <map>

  29. #include  <iostream>

  30. #include  <stdio.h>

  31. #include  <libgen.h>

  32. 

  33. #include  "../strutil.h"

  34. #include  "appbase.h"

  35. using namespace std;

  36. 

  37. 

  38. 

  39. //////////////////////////////////////////////////////////////////////

  40. // A connection with count

  41. //////////////////////////////////////////////////////////////////////

  42. 

  43. struct ConnWct: public Conn {

  44.   long	count;

  45. };

  46. 

  47. 

  48. 

  49. // TODO: connection sql should be global.

  50. namespace cppdb {

  51.   result &operator>>(result &qry, ConnWct &c) {

  52.     qry >> c.us >> c.us_port >> c.them >> c.them_port >> c.name

  53.         >> c.protocol >> c.count;

  54.     return qry;

  55.   }  

  56. } // cppcms

  57. 

  58. 

  59. 

  60. //////////////////////////////////////////////////////////////////////

  61. // A "line" of a report - a single domain/address

  62. //////////////////////////////////////////////////////////////////////

  63. 

  64. struct ReportLine {

  65.   int             count;

  66.   map<string,int> ports;

  67. 

  68.   // initialize

  69.   ReportLine(): count(0) {}

  70.   // add an item

  71.   void add(const string &port, int _count) {

  72.     ports[port]+=_count;

  73.     count+=_count;

  74.   }

  75.   // ports -> string

  76.   string port_list() const {

  77.     string r;

  78.     map<string,int>::const_iterator it = ports.begin();

  79.     if(it==ports.end()) return r;

  80.     r = it->first;

  81.     for(it++; it!=ports.end(); it++) r+=","+it->first;

  82.     return r;

  83.   }

  84. };

  85. 

  86. 

  87. 

  88. //////////////////////////////////////////////////////////////////////

  89. // A full reports worth of data - domain names / addresses and their

  90. // associated stats.

  91. //////////////////////////////////////////////////////////////////////

  92. 

  93. struct ReportData: map<string,ReportLine> {

  94. 

  95.   // Add an item to the report

  96.   void add(const string &address, const string &port, int count) {

  97.     (*this)[address].add(port, count);

  98.   }

  99. 

  100.   // Render report in an ASCII table

  101.   string ascii() const {

  102.     int widths[3] = {0,0,0}; // max column widths: 0: DNS, 1: ports, 3: counts

  103.     int x;

  104.     char l[1024]; l[1023]=0;

  105.     string s, r, bk;

  106.     ReportData::const_iterator it;

  107. 

  108.     for(it = begin(); it!=end(); it++) {

  109.       if(it->first.size()>widths[0]) widths[0] = it->first.size();

  110.       s = it->second.port_list();

  111.       if(s.size()>widths[1]) widths[1]=s.size();

  112.       if(it->second.count>widths[2]) widths[2] = it->second.count;

  113.     }

  114.     // Now convert count max to cols

  115.     for(x=0; widths[2]; x++) widths[2] /= 10;

  116.     widths[2] = x ? x : 1;

  117.     // min col widths for titles

  118.     if(widths[0]<6) widths[0]=6;

  119.     if(widths[1]<7) widths[1]=7;

  120.     if(widths[2]<2) widths[2]=2;

  121. 

  122.     // render report

  123.     bk = "+"+string(widths[0]+2, '-')+

  124.          "+"+string(widths[1]+2, '-')+

  125.          "+"+string(widths[2]+2, '-')+

  126.          "+\n";

  127.     if(bk.size()>=sizeof(l)-1) throw std::runtime_error(

  128.       "ReportData::ascii: report row width is too long.");

  129.     s = "| %-"+str(widths[0])+"s | %-"+str(widths[1])+"s | %"+str(widths[2])+"d |\n";

  130.     r = bk;

  131.     snprintf(l, sizeof(l)-1,

  132.         ("| %-"+str(widths[0])+"s | %-"+str(widths[1])+"s | %-"+str(widths[2])+"s |\n").c_str(),

  133.         (const char *)"Remote",

  134.         (const char *)"Port(s)",

  135.         (const char *)"Ct"

  136.         );

  137.     r+= l;

  138.     r+= bk;

  139.     for(it = begin(); it!=end(); it++) {

  140.       snprintf(l, sizeof(l)-1, s.c_str(),

  141.         it->first.c_str(),

  142.         it->second.port_list().c_str(),

  143.         it->second.count

  144.       );

  145.       r+=l;

  146.     }

  147.     r+=bk;

  148.     return r;

  149.   }

  150. };

  151. inline ostream &operator<<(ostream &out, const ReportData &r){

  152.   return out << r.ascii();

  153. }

  154. 

  155. 

  156. 

  157. //////////////////////////////////////////////////////////////////////

  158. // Connection Report Generator Application Class

  159. //////////////////////////////////////////////////////////////////////

  160. 

  161. struct appConnectionReport: TrafficMonBaseApp {

  162.   ReportData       rpt;

  163.   string           start_stamp;

  164.   string           end_stamp;

  165.   int              cli_mode; // which non-switch are we processing

  166. 

  167. 

  168.   appConnectionReport(): cli_mode(0) { }

  169. 

  170. 

  171. 

  172.   int help() {

  173.     cerr << "  FORMAT: " << basename(command_args[0]) << " -c {config} {start} {end}\n"

  174.          << '\n'

  175.          << "The config file must have a [Traffic Mon] section with the database\n"

  176.          << "credentials in it. 'start' and 'stop' are the SQL timestamps for\n"

  177.          << "report time span." << endl;

  178.     return 1;

  179.   }

  180. 

  181. 

  182. 

  183.   virtual void do_arg(const char *arg) {

  184.     switch(cli_mode++) {

  185.     case 0:  start_stamp = arg; return;

  186.     case 1:  end_stamp   = arg; return;

  187.     default: throw CLIerror("Invalid arguments");

  188.     }

  189.   }

  190. 

  191. 

  192. 

  193.   int main() {

  194.     cppdb::result qry;

  195.     ConnWct rec; rec.in=0;

  196.     int x;

  197. 

  198.     /// SETUP & VALIDATE CLI ///

  199. 

  200.     try {

  201.       if(x = TrafficMonBaseApp::main()) return x; // Parse CLI args

  202.       if(cli_mode!=2) throw CLIerror("Invalid arguments");

  203.     } catch(const CLIerror &e) {

  204.       cerr << e.what() << "\n\n";

  205.       return help();

  206.     }

  207.     /// Query & load data ///

  208. 

  209.     qry = db <<

  210.       "SELECT c.us, c.us_port, c.them, c.them_port, c.them_name, protocol, count(*) "

  211.       "FROM connections c LEFT OUTER JOIN dns d ON c.them_name=d.name "

  212.       "WHERE c.inbound=0 AND (d.status IS NULL or d.status=0) "

  213.         "AND tstamp>=? AND tstamp<=? "

  214.       "GROUP BY c.us, c.us_port, c.them, c.them_port, c.them_name, c.protocol"

  215.       << start_stamp << (end_stamp + " 23:59:59"); // include to the end of the day

  216.     while(qry.next()) {

  217.       qry >> rec;

  218.       if(config->ignores.vals.find(rec)<0)

  219.         rpt.add(

  220.           rec.name=="" ? rec.them : rec.name,

  221.           str(rec.them_port),

  222.           rec.count

  223.         );

  224.     }

  225. 

  226.     /// spit out the report ///

  227. 

  228.     cout << "Web access report for " << start_stamp << " - " << end_stamp << "\n\n"

  229.          << rpt;

  230.     return 0;

  231.   }

  232. 

  233. };

  234. 

  235. 

  236. 

  237. //////////////////////////////////////////////////////////////////////

  238. // Lets run the report and dump it out

  239. //////////////////////////////////////////////////////////////////////

  240. 

  241. MAIN(appConnectionReport)