ChipMaster
/
Poor-Mans-IDS
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The Poor Man's (or Woman's) Intrusion Detection System
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
19 Commits
1 Branch
133 KiB
 
 
 
 
Tree: e8521eead9
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e8521eead9'
${ noResults }
Poor-Mans-IDS/trafficmon/badtrafficrpt.cpp

233 lines
6.7 KiB
Raw Blame History 

  1. //////////////////////////////////////////////////////////////////////

  2. // Basic Access Log report

  3. // Written by Jonathan A. Foster <jon@jfpossibilities.com>

  4. // Started August 20th, 2021

  5. // Copyright JF Possibilities, Inc. All rights reserved.

  6. //

  7. // To start with this gather data for a specific access period and

  8. // create a report of domain names and addresses that accessed to and

  9. // from the net. All "accepted" and "blocked" accesses will be

  10. // ignored. For the moment we're expecting blocked traffic is actually

  11. // blocked.

  12. //

  13. // The report will contain three columns:

  14. //   1. domain name or address if a domain is not known.

  15. //   2. list of ports that were connected to.

  16. //   3. count of total connections

  17. //

  18. // 20240319 <jon@jfpossibilities.com>

  19. //   Implemented "ignores" in the report. These use the ignore section

  20. //   used by trafficrpt. But there are some oddities (so far). All

  21. //   report entries are considered to be TCP connections originating

  22. //   from 0.0.0.0 and outbound. This is a cheat to prevent

  23. //   complication in the query process. Its tempting to implement this

  24. //   in trafficmon... but that is a permanent loss of data... still

  25. //   debating.

  26. //////////////////////////////////////////////////////////////////////

  27. #include  <string>

  28. #include  <map>

  29. #include  <iostream>

  30. #include  <stdio.h>

  31. #include  <libgen.h>

  32. 

  33. #include  "../strutil.h"

  34. #include  "appbase.h"

  35. using namespace std;

  36. 

  37. 

  38. 

  39. //////////////////////////////////////////////////////////////////////

  40. // A "line" of a report - a single domain/address

  41. //////////////////////////////////////////////////////////////////////

  42. 

  43. struct ReportLine {

  44.   int             count;

  45.   map<string,int> ports;

  46. 

  47.   // initialize

  48.   ReportLine(): count(0) {}

  49.   // add an item

  50.   void add(const string &port, int _count) {

  51.     ports[port]+=_count;

  52.     count+=_count;

  53.   }

  54.   // ports -> string

  55.   string port_list() const {

  56.     string r;

  57.     map<string,int>::const_iterator it = ports.begin();

  58.     if(it==ports.end()) return r;

  59.     r = it->first;

  60.     for(it++; it!=ports.end(); it++) r+=","+it->first;

  61.     return r;

  62.   }

  63. };

  64. 

  65. 

  66. 

  67. //////////////////////////////////////////////////////////////////////

  68. // A full reports worth of data - domain names / addresses and their

  69. // associated stats.

  70. //////////////////////////////////////////////////////////////////////

  71. 

  72. struct ReportData: map<string,ReportLine> {

  73. 

  74.   // Add an item to the report

  75.   void add(const string &address, const string &port, int count) {

  76.     (*this)[address].add(port, count);

  77.   }

  78. 

  79.   // Render report in an ASCII table

  80.   string ascii() const {

  81.     int widths[3] = {0,0,0}; // max column widths: 0: DNS, 1: ports, 3: counts

  82.     int x;

  83.     char l[256]; l[255]=0;

  84.     string s, r, bk;

  85.     ReportData::const_iterator it;

  86. 

  87.     for(it = begin(); it!=end(); it++) {

  88.       if(it->first.size()>widths[0]) widths[0] = it->first.size();

  89.       s = it->second.port_list();

  90.       if(s.size()>widths[1]) widths[1]=s.size();

  91.       if(it->second.count>widths[2]) widths[2] = it->second.count;

  92.     }

  93.     // Now conver count max to cols

  94.     for(x=0; widths[2]; x++) widths[2] /= 10;

  95.     widths[2] = x ? x : 1;

  96.     // min col widths for titles

  97.     if(widths[0]<6) widths[0]=6;

  98.     if(widths[1]<7) widths[1]=7;

  99.     if(widths[2]<2) widths[2]=2;

  100. 

  101.     // render report

  102.     bk = "+"+string(widths[0]+2, '-')+

  103.          "+"+string(widths[1]+2, '-')+

  104.          "+"+string(widths[2]+2, '-')+

  105.          "+\n";

  106.     s = "| %-"+str(widths[0])+"s | %-"+str(widths[1])+"s | %"+str(widths[2])+"d |\n";

  107.     r = bk;

  108.     snprintf(l, sizeof(l)-1,

  109.         ("| %-"+str(widths[0])+"s | %-"+str(widths[1])+"s | %-"+str(widths[2])+"s |\n").c_str(),

  110.         (const char *)"Remote",

  111.         (const char *)"Port(s)",

  112.         (const char *)"Ct"

  113.         );

  114.     r+= l;

  115.     r+= bk;

  116.     for(it = begin(); it!=end(); it++) {

  117.       snprintf(l, sizeof(l)-1, s.c_str(),

  118.         it->first.c_str(),

  119.         it->second.port_list().c_str(),

  120.         it->second.count

  121.       );

  122.       r+=l;

  123.     }

  124.     r+=bk;

  125.     return r;

  126.   }

  127. };

  128. inline ostream &operator<<(ostream &out, const ReportData &r){

  129.   return out << r.ascii();

  130. }

  131. // NOTE: implementation at bottom.

  132. namespace cppdb {

  133.   result &operator>>(result &qry, ::ReportData &rpt);

  134. }

  135. 

  136. 

  137. 

  138. //////////////////////////////////////////////////////////////////////

  139. // Connection Report Generator Application Class

  140. //////////////////////////////////////////////////////////////////////

  141. 

  142. struct appConnectionReport: TrafficMonBaseApp {

  143.   ReportData       rpt;

  144.   string           start_stamp;

  145.   string           end_stamp;

  146.   int              cli_mode; // which non-switch are we processing

  147. 

  148. 

  149.   appConnectionReport(): cli_mode(0) { }

  150. 

  151. 

  152. 

  153.   int help() {

  154.     cerr << "  FORMAT: " << basename(command_args[0]) << " -c {config} {start} {end}\n"

  155.          << '\n'

  156.          << "The config file must have a [Traffic Mon] section with the database\n"

  157.          << "credentials in it. 'start' and 'stop' are the SQL timestamps for\n"

  158.          << "report time span." << endl;

  159.     return 1;

  160.   }

  161. 

  162. 

  163. 

  164.   virtual void do_arg(const char *arg) {

  165.     switch(cli_mode++) {

  166.     case 0:  start_stamp = arg; return;

  167.     case 1:  end_stamp   = arg; return;

  168.     default: throw CLIerror("Invalid arguments");

  169.     }

  170.   }

  171. 

  172. 

  173. 

  174.   int main() {

  175.     cppdb::result qry;

  176.     int x;

  177. 

  178.     /// SETUP & VALIDATE CLI ///

  179. 

  180.     try {

  181.       if(x = TrafficMonBaseApp::main()) return x; // Parse CLI args

  182.       if(cli_mode!=2) throw CLIerror("Invlaid arguments");

  183.     } catch(const CLIerror &e) {

  184.       cerr << e.what() << "\n\n";

  185.       return help();

  186.     }

  187.     /// Query & load data ///

  188. 

  189.     qry = db <<

  190.       "SELECT c.them_name, c.them, c.them_port, count(*) "

  191.       "FROM connections c LEFT OUTER JOIN dns d ON c.them_name=d.name "

  192.       "WHERE c.inbound=0 AND (d.status IS NULL or d.status=0) "

  193.         "AND tstamp>=? AND tstamp<=? "

  194.       "GROUP BY c.them_name, c.them, c.them_port"

  195.       << start_stamp << (end_stamp + " 23:59:59"); // include to the end of the day

  196.     while(qry.next()) qry >> rpt;

  197. 

  198.     /// spit out the report ///

  199. 

  200.     cout << "Web access report for " << start_stamp << " - " << end_stamp << "\n\n"

  201.          << rpt;

  202.     return 0;

  203.   }

  204. 

  205. };

  206. 

  207. 

  208. 

  209. //////////////////////////////////////////////////////////////////////

  210. // Lets run the report and dump it out

  211. //////////////////////////////////////////////////////////////////////

  212. 

  213. MAIN(appConnectionReport)

  214. 

  215. // NOTE: This needs to be down here so it knows of "app", defined by MAIN.

  216. 

  217. namespace cppdb {

  218.   result &operator>>(result &qry, ::ReportData &rpt) {

  219.     Conn rec;

  220.     int ct;

  221.     rec.us="0.0.0.0";

  222.     rec.protocol="TCP";

  223.     rec.in=0;

  224.     qry >> rec.name >> rec.them >> rec.them_port >> ct;

  225.     // NOTE: ignores can only work from remote addresses.

  226.     if(app.config->ignores.vals.find(rec)<0) {

  227.       if(rec.name=="") rec.name=rec.them;

  228.       rpt.add(rec.name, str(rec.them_port), ct);

  229.     }

  230.       else cerr << "ignored" << endl;

  231.   }

  232. }