ChipMaster
/
Poor-Mans-IDS
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The Poor Man's (or Woman's) Intrusion Detection System
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
15 Commits
1 Branch
133 KiB
 
 
 
 
Tree: bb0278f2a5
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'bb0278f2a5'
${ noResults }
Poor-Mans-IDS/trafficmon/badtrafficrpt.cpp

251 lines
7.1 KiB
Raw Blame History 

  1. //////////////////////////////////////////////////////////////////////

  2. // Basic Access Log report

  3. // Written by Jonathan A. Foster <jon@jfpossibilities.com>

  4. // Started August 20th, 2021

  5. // Copyright JF Possibilities, Inc. All rights reserved.

  6. //

  7. // To start with this gather data for a specific access period and

  8. // create a report of domain names and addresses that accessed to and

  9. // from the net. All "accepted" and "blocked" accesses will be

  10. // ignored. For the moment we're expecting blocked traffic is actually

  11. // blocked.

  12. //

  13. // The report will contain three columns:

  14. //   1. domain name or address if a domain is not known.

  15. //   2. list of ports that were connected to.

  16. //   3. count of total connections

  17. //////////////////////////////////////////////////////////////////////

  18. #include  <string>

  19. #include  <map>

  20. #include  <iostream>

  21. #include  <stdio.h>

  22. #include  <libgen.h>

  23. #include  <cppdb/frontend.h>

  24. 

  25. #include  "../strutil.h"

  26. #include  "../cli.h"

  27. #include  "../miniini.h"

  28. using namespace std;

  29. 

  30. 

  31. 

  32. //////////////////////////////////////////////////////////////////////

  33. // A "line" of a report - a single domain/address

  34. //////////////////////////////////////////////////////////////////////

  35. 

  36. struct ReportLine {

  37.   int             count;

  38.   map<string,int> ports;

  39. 

  40.   // initialize

  41.   ReportLine(): count(0) {}

  42.   // add an item

  43.   void add(const string &port, int _count) {

  44.     ports[port]+=_count;

  45.     count+=_count;

  46.   }

  47.   // ports -> string

  48.   string port_list() const {

  49.     string r;

  50.     map<string,int>::const_iterator it = ports.begin();

  51.     if(it==ports.end()) return r;

  52.     r = it->first;

  53.     for(it++; it!=ports.end(); it++) r+=","+it->first;

  54.     return r;

  55.   }

  56. };

  57. 

  58. 

  59. 

  60. //////////////////////////////////////////////////////////////////////

  61. // A full reports worth of data - domain names / addresses and their

  62. // associated stats.

  63. //////////////////////////////////////////////////////////////////////

  64. 

  65. struct ReportData: map<string,ReportLine> {

  66. 

  67.   // Add an item to the report

  68.   void add(const string &address, const string &port, int count) {

  69.     (*this)[address].add(port, count);

  70.   }

  71. 

  72.   // Render report in an ASCII table

  73.   string ascii() const {

  74.     int widths[3] = {0,0,0}; // max column widths: 0: DNS, 1: ports, 3: counts

  75.     int x;

  76.     char l[256]; l[255]=0;

  77.     string s, r, bk;

  78.     ReportData::const_iterator it;

  79. 

  80.     for(it = begin(); it!=end(); it++) {

  81.       if(it->first.size()>widths[0]) widths[0] = it->first.size();

  82.       s = it->second.port_list();

  83.       if(s.size()>widths[1]) widths[1]=s.size();

  84.       if(it->second.count>widths[2]) widths[2] = it->second.count;

  85.     }

  86.     // Now conver count max to cols

  87.     for(x=0; widths[2]; x++) widths[2] /= 10;

  88.     widths[2] = x ? x : 1;

  89.     // min col widths for titles

  90.     if(widths[0]<6) widths[0]=6;

  91.     if(widths[1]<7) widths[1]=7;

  92.     if(widths[2]<2) widths[2]=2;

  93. 

  94.     // render report

  95.     bk = "+"+string(widths[0]+2, '-')+

  96.          "+"+string(widths[1]+2, '-')+

  97.          "+"+string(widths[2]+2, '-')+

  98.          "+\n";

  99.     s = "| %-"+str(widths[0])+"s | %-"+str(widths[1])+"s | %"+str(widths[2])+"d |\n";

  100.     r = bk;

  101.     snprintf(l, sizeof(l)-1,

  102.         ("| %-"+str(widths[0])+"s | %-"+str(widths[1])+"s | %-"+str(widths[2])+"s |\n").c_str(),

  103.         (const char *)"Remote",

  104.         (const char *)"Port(s)",

  105.         (const char *)"Ct"

  106.         );

  107.     r+= l;

  108.     r+= bk;

  109.     for(it = begin(); it!=end(); it++) {

  110.       snprintf(l, sizeof(l)-1, s.c_str(),

  111.         it->first.c_str(),

  112.         it->second.port_list().c_str(),

  113.         it->second.count

  114.       );

  115.       r+=l;

  116.     }

  117.     r+=bk;

  118.     return r;

  119.   }

  120. };

  121. inline ostream &operator<<(ostream &out, const ReportData &r){

  122.   return out << r.ascii();

  123. }

  124. namespace cppdb {

  125.   result &operator>>(result &qry, ::ReportData &rpt) {

  126.     string name, addr, port;

  127.     int ct;

  128.     qry >> name >> addr >> port >> ct;

  129.     if(name=="") name=addr;

  130.     rpt.add(name, port, ct);

  131.   }

  132. }

  133. 

  134. 

  135. //////////////////////////////////////////////////////////////////////

  136. // Our config file.

  137. //

  138. // This is designed so that all parts can use the same config. Tools

  139. // ignore the parts they aren't interested in.

  140. //////////////////////////////////////////////////////////////////////

  141. 

  142. /* TODO: refactor this as a base class... */

  143. struct ReportConf: public MiniINI {

  144.   MiniINIvars  traffic_mon; // This app's config variables

  145. 

  146.   ReportConf() { groups["Traffic Mon"] = &traffic_mon; }

  147. };

  148. 

  149. 

  150. 

  151. //////////////////////////////////////////////////////////////////////

  152. // Connection Report Generator Application Class

  153. //////////////////////////////////////////////////////////////////////

  154. 

  155. struct appConnectionReport: cBaseApp {

  156.   ReportConf      config;

  157.   ReportData      rpt;

  158.   cppdb::session  db;

  159.   string          start_stamp;

  160.   string          end_stamp;

  161.   int             cli_mode; // which non-switch are we processing

  162. 

  163. 

  164.   appConnectionReport(): cli_mode(0) {}

  165. 

  166. 

  167. 

  168.   int help() {

  169.     cerr << "  FORMAT: " << basename(command_args[0]) << " -c {config} {start} {end}\n"

  170.          << '\n'

  171.          << "The config file must have a [Traffic Mon] section with the database\n"

  172.          << "credentials in it. 'start' and 'stop' are the SQL timestamps for\n"

  173.          << "report time span." << endl;

  174.   }

  175.   

  176.   

  177.   

  178.   virtual unsigned do_switch(const char *arg) {

  179.     if(*arg=='c' && !arg[1]) return 1;

  180.     throw CLIerror("Invalid switch "+string(arg));

  181.   }

  182. 

  183. 

  184. 

  185.   virtual void do_switch_arg(const char *sw, const std::string &val) {

  186.     // The only way we get here is with -c

  187.     config.load(val);

  188.     // TODO: config validity checks

  189.   }

  190. 

  191. 

  192. 

  193.   virtual void do_arg(const char *arg) {

  194.     switch(cli_mode++) {

  195.     case 0:  start_stamp = arg; return;

  196.     case 1:  end_stamp   = arg; return;

  197.     default: throw CLIerror("Invalid arguments");

  198.     }

  199.   }

  200.   

  201.   

  202. 

  203.   int main() {

  204.     cppdb::result qry;

  205. 

  206.     /// SETUP & VALIDATE CLI ///

  207. 

  208.     try {

  209.       cBaseApp::main(); // Parse CLI args

  210.       if(!config.traffic_mon.vals.size()) throw CLIerror(

  211.         "You need to load a config file with a [Traffic Mon] section"

  212.       );

  213.       if(cli_mode!=2) throw CLIerror("Invlaid arguments");

  214.     } catch(const CLIerror &e) {

  215.       cerr << e.what() << "\n\n";

  216.       return help();

  217.     }

  218.     db.open("mysql:user="+qesc(config.traffic_mon.get("db user"))+

  219.       ";password="+qesc(config.traffic_mon.get("db password"))+

  220.       ";host="+qesc(config.traffic_mon.get("db host"))+

  221.       ";database="+qesc(config.traffic_mon.get("db name"))+

  222.       ";@opt_reconnect=1");

  223. 

  224.     /// Query & load data ///

  225. 

  226.     qry = db <<

  227.       "SELECT c.them_name, c.them, c.them_port, count(*) "

  228.       "FROM connections c LEFT OUTER JOIN dns d ON c.them_name=d.name "

  229.       "WHERE c.inbound=0 AND (d.status IS NULL or d.status=0) "

  230.         "AND tstamp>=? AND tstamp<=? "

  231.       "GROUP BY c.them_name, c.them, c.them_port"

  232.       << start_stamp << (end_stamp + " 23:59:59"); // include to the end of the day

  233.     while(qry.next()) qry >> rpt;

  234. 

  235.     /// spit out the report ///

  236. 

  237.     cout << "Web access report for " << start_stamp << " - " << end_stamp << "\n\n"

  238.          << rpt;

  239.     return 0;

  240.   }

  241. 

  242. };

  243. 

  244. 

  245. 

  246. //////////////////////////////////////////////////////////////////////

  247. // Lets run the report and dump it out

  248. //////////////////////////////////////////////////////////////////////

  249. 

  250. MAIN(appConnectionReport)