ChipMaster
/
Poor-Mans-IDS
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The Poor Man's (or Woman's) Intrusion Detection System
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16 Commits
1 Branch
133 KiB
 
 
 
 
Tree: d12a3e9f4d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd12a3e9f4d'
${ noResults }
Poor-Mans-IDS/trafficmon/badtrafficrpt.cpp

210 lines
5.8 KiB
Raw Blame History 

  1. //////////////////////////////////////////////////////////////////////

  2. // Basic Access Log report

  3. // Written by Jonathan A. Foster <jon@jfpossibilities.com>

  4. // Started August 20th, 2021

  5. // Copyright JF Possibilities, Inc. All rights reserved.

  6. //

  7. // To start with this gather data for a specific access period and

  8. // create a report of domain names and addresses that accessed to and

  9. // from the net. All "accepted" and "blocked" accesses will be

  10. // ignored. For the moment we're expecting blocked traffic is actually

  11. // blocked.

  12. //

  13. // The report will contain three columns:

  14. //   1. domain name or address if a domain is not known.

  15. //   2. list of ports that were connected to.

  16. //   3. count of total connections

  17. //////////////////////////////////////////////////////////////////////

  18. #include  <string>

  19. #include  <map>

  20. #include  <iostream>

  21. #include  <stdio.h>

  22. #include  <libgen.h>

  23. 

  24. #include  "../strutil.h"

  25. #include  "appbase.h"

  26. using namespace std;

  27. 

  28. 

  29. 

  30. //////////////////////////////////////////////////////////////////////

  31. // A "line" of a report - a single domain/address

  32. //////////////////////////////////////////////////////////////////////

  33. 

  34. struct ReportLine {

  35.   int             count;

  36.   map<string,int> ports;

  37. 

  38.   // initialize

  39.   ReportLine(): count(0) {}

  40.   // add an item

  41.   void add(const string &port, int _count) {

  42.     ports[port]+=_count;

  43.     count+=_count;

  44.   }

  45.   // ports -> string

  46.   string port_list() const {

  47.     string r;

  48.     map<string,int>::const_iterator it = ports.begin();

  49.     if(it==ports.end()) return r;

  50.     r = it->first;

  51.     for(it++; it!=ports.end(); it++) r+=","+it->first;

  52.     return r;

  53.   }

  54. };

  55. 

  56. 

  57. 

  58. //////////////////////////////////////////////////////////////////////

  59. // A full reports worth of data - domain names / addresses and their

  60. // associated stats.

  61. //////////////////////////////////////////////////////////////////////

  62. 

  63. struct ReportData: map<string,ReportLine> {

  64. 

  65.   // Add an item to the report

  66.   void add(const string &address, const string &port, int count) {

  67.     (*this)[address].add(port, count);

  68.   }

  69. 

  70.   // Render report in an ASCII table

  71.   string ascii() const {

  72.     int widths[3] = {0,0,0}; // max column widths: 0: DNS, 1: ports, 3: counts

  73.     int x;

  74.     char l[256]; l[255]=0;

  75.     string s, r, bk;

  76.     ReportData::const_iterator it;

  77. 

  78.     for(it = begin(); it!=end(); it++) {

  79.       if(it->first.size()>widths[0]) widths[0] = it->first.size();

  80.       s = it->second.port_list();

  81.       if(s.size()>widths[1]) widths[1]=s.size();

  82.       if(it->second.count>widths[2]) widths[2] = it->second.count;

  83.     }

  84.     // Now conver count max to cols

  85.     for(x=0; widths[2]; x++) widths[2] /= 10;

  86.     widths[2] = x ? x : 1;

  87.     // min col widths for titles

  88.     if(widths[0]<6) widths[0]=6;

  89.     if(widths[1]<7) widths[1]=7;

  90.     if(widths[2]<2) widths[2]=2;

  91. 

  92.     // render report

  93.     bk = "+"+string(widths[0]+2, '-')+

  94.          "+"+string(widths[1]+2, '-')+

  95.          "+"+string(widths[2]+2, '-')+

  96.          "+\n";

  97.     s = "| %-"+str(widths[0])+"s | %-"+str(widths[1])+"s | %"+str(widths[2])+"d |\n";

  98.     r = bk;

  99.     snprintf(l, sizeof(l)-1,

  100.         ("| %-"+str(widths[0])+"s | %-"+str(widths[1])+"s | %-"+str(widths[2])+"s |\n").c_str(),

  101.         (const char *)"Remote",

  102.         (const char *)"Port(s)",

  103.         (const char *)"Ct"

  104.         );

  105.     r+= l;

  106.     r+= bk;

  107.     for(it = begin(); it!=end(); it++) {

  108.       snprintf(l, sizeof(l)-1, s.c_str(),

  109.         it->first.c_str(),

  110.         it->second.port_list().c_str(),

  111.         it->second.count

  112.       );

  113.       r+=l;

  114.     }

  115.     r+=bk;

  116.     return r;

  117.   }

  118. };

  119. inline ostream &operator<<(ostream &out, const ReportData &r){

  120.   return out << r.ascii();

  121. }

  122. namespace cppdb {

  123.   result &operator>>(result &qry, ::ReportData &rpt) {

  124.     string name, addr, port;

  125.     int ct;

  126.     qry >> name >> addr >> port >> ct;

  127.     if(name=="") name=addr;

  128.     rpt.add(name, port, ct);

  129.   }

  130. }

  131. 

  132. 

  133. 

  134. //////////////////////////////////////////////////////////////////////

  135. // Connection Report Generator Application Class

  136. //////////////////////////////////////////////////////////////////////

  137. 

  138. struct appConnectionReport: TrafficMonBaseApp {

  139.   ReportData       rpt;

  140.   string           start_stamp;

  141.   string           end_stamp;

  142.   int              cli_mode; // which non-switch are we processing

  143. 

  144. 

  145.   appConnectionReport(): cli_mode(0) { }

  146. 

  147. 

  148. 

  149.   int help() {

  150.     cerr << "  FORMAT: " << basename(command_args[0]) << " -c {config} {start} {end}\n"

  151.          << '\n'

  152.          << "The config file must have a [Traffic Mon] section with the database\n"

  153.          << "credentials in it. 'start' and 'stop' are the SQL timestamps for\n"

  154.          << "report time span." << endl;

  155.     return 1;

  156.   }

  157. 

  158. 

  159. 

  160.   virtual void do_arg(const char *arg) {

  161.     switch(cli_mode++) {

  162.     case 0:  start_stamp = arg; return;

  163.     case 1:  end_stamp   = arg; return;

  164.     default: throw CLIerror("Invalid arguments");

  165.     }

  166.   }

  167. 

  168. 

  169. 

  170.   int main() {

  171.     cppdb::result qry;

  172.     int x;

  173. 

  174.     /// SETUP & VALIDATE CLI ///

  175. 

  176.     try {

  177.       if(x = TrafficMonBaseApp::main()) return x; // Parse CLI args

  178.       if(cli_mode!=2) throw CLIerror("Invlaid arguments");

  179.     } catch(const CLIerror &e) {

  180.       cerr << e.what() << "\n\n";

  181.       return help();

  182.     }

  183.     /// Query & load data ///

  184. 

  185.     qry = db <<

  186.       "SELECT c.them_name, c.them, c.them_port, count(*) "

  187.       "FROM connections c LEFT OUTER JOIN dns d ON c.them_name=d.name "

  188.       "WHERE c.inbound=0 AND (d.status IS NULL or d.status=0) "

  189.         "AND tstamp>=? AND tstamp<=? "

  190.       "GROUP BY c.them_name, c.them, c.them_port"

  191.       << start_stamp << (end_stamp + " 23:59:59"); // include to the end of the day

  192.     while(qry.next()) qry >> rpt;

  193. 

  194.     /// spit out the report ///

  195. 

  196.     cout << "Web access report for " << start_stamp << " - " << end_stamp << "\n\n"

  197.          << rpt;

  198.     return 0;

  199.   }

  200. 

  201. };

  202. 

  203. 

  204. 

  205. //////////////////////////////////////////////////////////////////////

  206. // Lets run the report and dump it out

  207. //////////////////////////////////////////////////////////////////////

  208. 

  209. MAIN(appConnectionReport)