ChipMaster
/
Poor-Mans-IDS
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The Poor Man's (or Woman's) Intrusion Detection System
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
20 Commits
1 Branch
133 KiB
 
 
 
 
Tree: 6756bb0087
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6756bb0087'
${ noResults }
Poor-Mans-IDS/trafficmon/badtrafficrpt.cpp

234 lines
6.8 KiB
Raw Blame History 

  1. //////////////////////////////////////////////////////////////////////

  2. // Basic Access Log report

  3. // Written by Jonathan A. Foster <jon@jfpossibilities.com>

  4. // Started August 20th, 2021

  5. // Copyright JF Possibilities, Inc. All rights reserved.

  6. //

  7. // To start with this gather data for a specific access period and

  8. // create a report of domain names and addresses that accessed to and

  9. // from the net. All "accepted" and "blocked" accesses will be

  10. // ignored. For the moment we're expecting blocked traffic is actually

  11. // blocked.

  12. //

  13. // The report will contain three columns:

  14. //   1. domain name or address if a domain is not known.

  15. //   2. list of ports that were connected to.

  16. //   3. count of total connections

  17. //

  18. // 20240319 <jon@jfpossibilities.com>

  19. //   Implemented "ignores" in the report. These use the ignore section

  20. //   used by trafficrpt. But there are some oddities (so far). All

  21. //   report entries are considered to be TCP connections originating

  22. //   from 0.0.0.0 and outbound. This is a cheat to prevent

  23. //   complication in the query process. Its tempting to implement this

  24. //   in trafficmon... but that is a permanent loss of data... still

  25. //   debating.

  26. //////////////////////////////////////////////////////////////////////

  27. #include  <string>

  28. #include  <map>

  29. #include  <iostream>

  30. #include  <stdio.h>

  31. #include  <libgen.h>

  32. 

  33. #include  "../strutil.h"

  34. #include  "appbase.h"

  35. using namespace std;

  36. 

  37. 

  38. 

  39. //////////////////////////////////////////////////////////////////////

  40. // A "line" of a report - a single domain/address

  41. //////////////////////////////////////////////////////////////////////

  42. 

  43. struct ReportLine {

  44.   int             count;

  45.   map<string,int> ports;

  46. 

  47.   // initialize

  48.   ReportLine(): count(0) {}

  49.   // add an item

  50.   void add(const string &port, int _count) {

  51.     ports[port]+=_count;

  52.     count+=_count;

  53.   }

  54.   // ports -> string

  55.   string port_list() const {

  56.     string r;

  57.     map<string,int>::const_iterator it = ports.begin();

  58.     if(it==ports.end()) return r;

  59.     r = it->first;

  60.     for(it++; it!=ports.end(); it++) r+=","+it->first;

  61.     return r;

  62.   }

  63. };

  64. 

  65. 

  66. 

  67. //////////////////////////////////////////////////////////////////////

  68. // A full reports worth of data - domain names / addresses and their

  69. // associated stats.

  70. //////////////////////////////////////////////////////////////////////

  71. 

  72. struct ReportData: map<string,ReportLine> {

  73. 

  74.   // Add an item to the report

  75.   void add(const string &address, const string &port, int count) {

  76.     (*this)[address].add(port, count);

  77.   }

  78. 

  79.   // Render report in an ASCII table

  80.   string ascii() const {

  81.     int widths[3] = {0,0,0}; // max column widths: 0: DNS, 1: ports, 3: counts

  82.     int x;

  83.     char l[1024]; l[1023]=0;

  84.     string s, r, bk;

  85.     ReportData::const_iterator it;

  86. 

  87.     for(it = begin(); it!=end(); it++) {

  88.       if(it->first.size()>widths[0]) widths[0] = it->first.size();

  89.       s = it->second.port_list();

  90.       if(s.size()>widths[1]) widths[1]=s.size();

  91.       if(it->second.count>widths[2]) widths[2] = it->second.count;

  92.     }

  93.     // Now convert count max to cols

  94.     for(x=0; widths[2]; x++) widths[2] /= 10;

  95.     widths[2] = x ? x : 1;

  96.     // min col widths for titles

  97.     if(widths[0]<6) widths[0]=6;

  98.     if(widths[1]<7) widths[1]=7;

  99.     if(widths[2]<2) widths[2]=2;

  100. 

  101.     // render report

  102.     bk = "+"+string(widths[0]+2, '-')+

  103.          "+"+string(widths[1]+2, '-')+

  104.          "+"+string(widths[2]+2, '-')+

  105.          "+\n";

  106.     if(bk.size()>=sizeof(l)-1) throw std::runtime_error(

  107.       "ReportData::ascii: report row width is too long.");

  108.     s = "| %-"+str(widths[0])+"s | %-"+str(widths[1])+"s | %"+str(widths[2])+"d |\n";

  109.     r = bk;

  110.     snprintf(l, sizeof(l)-1,

  111.         ("| %-"+str(widths[0])+"s | %-"+str(widths[1])+"s | %-"+str(widths[2])+"s |\n").c_str(),

  112.         (const char *)"Remote",

  113.         (const char *)"Port(s)",

  114.         (const char *)"Ct"

  115.         );

  116.     r+= l;

  117.     r+= bk;

  118.     for(it = begin(); it!=end(); it++) {

  119.       snprintf(l, sizeof(l)-1, s.c_str(),

  120.         it->first.c_str(),

  121.         it->second.port_list().c_str(),

  122.         it->second.count

  123.       );

  124.       r+=l;

  125.     }

  126.     r+=bk;

  127.     return r;

  128.   }

  129. };

  130. inline ostream &operator<<(ostream &out, const ReportData &r){

  131.   return out << r.ascii();

  132. }

  133. // NOTE: implementation at bottom.

  134. namespace cppdb {

  135.   result &operator>>(result &qry, ::ReportData &rpt);

  136. }

  137. 

  138. 

  139. 

  140. //////////////////////////////////////////////////////////////////////

  141. // Connection Report Generator Application Class

  142. //////////////////////////////////////////////////////////////////////

  143. 

  144. struct appConnectionReport: TrafficMonBaseApp {

  145.   ReportData       rpt;

  146.   string           start_stamp;

  147.   string           end_stamp;

  148.   int              cli_mode; // which non-switch are we processing

  149. 

  150. 

  151.   appConnectionReport(): cli_mode(0) { }

  152. 

  153. 

  154. 

  155.   int help() {

  156.     cerr << "  FORMAT: " << basename(command_args[0]) << " -c {config} {start} {end}\n"

  157.          << '\n'

  158.          << "The config file must have a [Traffic Mon] section with the database\n"

  159.          << "credentials in it. 'start' and 'stop' are the SQL timestamps for\n"

  160.          << "report time span." << endl;

  161.     return 1;

  162.   }

  163. 

  164. 

  165. 

  166.   virtual void do_arg(const char *arg) {

  167.     switch(cli_mode++) {

  168.     case 0:  start_stamp = arg; return;

  169.     case 1:  end_stamp   = arg; return;

  170.     default: throw CLIerror("Invalid arguments");

  171.     }

  172.   }

  173. 

  174. 

  175. 

  176.   int main() {

  177.     cppdb::result qry;

  178.     int x;

  179. 

  180.     /// SETUP & VALIDATE CLI ///

  181. 

  182.     try {

  183.       if(x = TrafficMonBaseApp::main()) return x; // Parse CLI args

  184.       if(cli_mode!=2) throw CLIerror("Invlaid arguments");

  185.     } catch(const CLIerror &e) {

  186.       cerr << e.what() << "\n\n";

  187.       return help();

  188.     }

  189.     /// Query & load data ///

  190. 

  191.     qry = db <<

  192.       "SELECT c.them_name, c.them, c.them_port, count(*) "

  193.       "FROM connections c LEFT OUTER JOIN dns d ON c.them_name=d.name "

  194.       "WHERE c.inbound=0 AND (d.status IS NULL or d.status=0) "

  195.         "AND tstamp>=? AND tstamp<=? "

  196.       "GROUP BY c.them_name, c.them, c.them_port"

  197.       << start_stamp << (end_stamp + " 23:59:59"); // include to the end of the day

  198.     while(qry.next()) qry >> rpt;

  199. 

  200.     /// spit out the report ///

  201. 

  202.     cout << "Web access report for " << start_stamp << " - " << end_stamp << "\n\n"

  203.          << rpt;

  204.     return 0;

  205.   }

  206. 

  207. };

  208. 

  209. 

  210. 

  211. //////////////////////////////////////////////////////////////////////

  212. // Lets run the report and dump it out

  213. //////////////////////////////////////////////////////////////////////

  214. 

  215. MAIN(appConnectionReport)

  216. 

  217. // NOTE: This needs to be down here so it knows of "app", defined by MAIN.

  218. 

  219. namespace cppdb {

  220.   result &operator>>(result &qry, ::ReportData &rpt) {

  221.     Conn rec;

  222.     int ct;

  223.     rec.us="0.0.0.0";

  224.     rec.protocol="TCP";

  225.     rec.in=0;

  226.     qry >> rec.name >> rec.them >> rec.them_port >> ct;

  227.     // NOTE: ignores can only work from remote addresses.

  228.     if(app.config->ignores.vals.find(rec)<0) {

  229.       if(rec.name=="") rec.name=rec.them;

  230.       rpt.add(rec.name, str(rec.them_port), ct);

  231.     }

  232.   }

  233. }