From 8db6acd5af1dfbeffd0cb1baa128b7fa7a97c317 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 8 May 2011 21:25:59 +0200 Subject: [PATCH] Revert "Initial version of logs ranking" This reverts commit d6bb36646ec80b40b991d1883e24f43a6f1899e6. --- git/logs-ranking/README.md | 55 ---------------- git/logs-ranking/bin/logs-ranking.pl | 94 ---------------------------- 2 files changed, 149 deletions(-) delete mode 100644 git/logs-ranking/README.md delete mode 100644 git/logs-ranking/bin/logs-ranking.pl diff --git a/git/logs-ranking/README.md b/git/logs-ranking/README.md deleted file mode 100644 index b7b5ea3..0000000 --- a/git/logs-ranking/README.md +++ /dev/null @@ -1,55 +0,0 @@ -logs-ranking -============ - -logs-ranking is a simple Perl script to add [BGP security ranking](http://bgpranking.circl.lu/) for -each IP address seen. The purpose is to ease network security analysis by providing a weight to -each log entry especially when you have large dataset. - -logs-ranking queries two Whois interface: - -* RIPE RIS interface -* CIRCL BGP Ranking interface. - -logs-ranking is currently supporting Apache common/combined logs format. - - -Usage ------ - - cat ../logs/www.foo.be-access.log| perl logs-ranking.pl >www.foo.be-access.log-ranked - -After gathering the BGP security ranking for your logs, it will be prepended to -the log files with the following format: - -,,original line - -So you can use whatever tools to sort, merge, cut the ranked logs. For example, -you can use sort to sort with the higher score value: - - sort -r -g -t"," -k2 myrankedlogfiles.txt - -Software required ------------------ - -* A recent version of Perl -* [Net::Whois::RIS](http://search.cpan.org/dist/Net-Whois-RIS/) - -License -------- - -Copyright (C) 2011 Alexandre Dulaunoy - -This program is free software: you can redistribute it and/or modify -it under the terms of the GNU General Public License as published by -the Free Software Foundation, either version 3 of the License, or -(at your option) any later version. - -This program is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -GNU General Public License for more details. - -You should have received a copy of the GNU General Public License -along with this program. If not, see . - - diff --git a/git/logs-ranking/bin/logs-ranking.pl b/git/logs-ranking/bin/logs-ranking.pl deleted file mode 100644 index 7d2c30a..0000000 --- a/git/logs-ranking/bin/logs-ranking.pl +++ /dev/null @@ -1,94 +0,0 @@ -#!/usr/bin/perl - -use strict; - -use Net::Whois::RIS; -use Socket; -$| = 1; - -my %iporigin; -my %ipranking; - -sub BGPRankingLookup { - my $asn = shift; - $asn =~ s/AS//g; - my $bgpranking = - IO::Socket::INET->new( PeerAddr => "pdns.circl.lu", PeerPort => 43 ) - or die(); - print $bgpranking $asn . "\n"; - my $x; - while (<$bgpranking>) { - $x = $x . $_; - } - return $x; - - $bgpranking->shutdown(); -} - -sub getASN { - my $ip = shift; #or hostname - - if ( !( $ip =~ /^(\d+\.){3}\d+$/ ) ) { - my $ipn = inet_aton($ip) or next; - $ip = inet_ntoa($ipn); - } - - my $l = Net::Whois::RIS->new(); - $l->getIPInfo($ip); - return $l->getOrigin(); -} - -sub ipExist { - my $ip = shift; - - if ( exists $iporigin{$ip} ) { - return 1; - } - else { - return undef; - } - -} - -sub rankingExist { - my $ip = shift; - - if ( exists $ipranking{$ip} ) { - return 1; - } - else { - return undef; - } -} - -sub ipAdd { - my $ip = shift; - my $asn = shift; - - $iporigin{$ip} = $asn; -} - -sub rankingAdd { - my $ip = shift; - my $ranking = shift; - $ipranking{$ip} = $ranking; - -} - -while () { - my $saved = $_; - my @ipext = split( / /, $_, ); - my $ip = $ipext[0]; - - if ( not ipExist($ip) ) { - ipAdd( $ip, getASN($ip) ); - } - if ( not rankingExist($ip) ) { - my @rankl = split( /,/, BGPRankingLookup( $iporigin{$ip} ) ); - rankingAdd( $ip, $rankl[1] ); - } - - my @rankl = split( /,/, BGPRankingLookup( $iporigin{$ip} ) ); - print $iporigin{$ip} . "," . $ipranking{$ip} . "," . $saved; -} -