From d6bb36646ec80b40b991d1883e24f43a6f1899e6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 8 May 2011 21:24:09 +0200 Subject: [PATCH] Initial version of logs ranking --- git/logs-ranking/README.md | 55 ++++++++++++++++ git/logs-ranking/bin/logs-ranking.pl | 94 ++++++++++++++++++++++++++++ 2 files changed, 149 insertions(+) create mode 100644 git/logs-ranking/README.md create mode 100644 git/logs-ranking/bin/logs-ranking.pl diff --git a/git/logs-ranking/README.md b/git/logs-ranking/README.md new file mode 100644 index 0000000..b7b5ea3 --- /dev/null +++ b/git/logs-ranking/README.md @@ -0,0 +1,55 @@ +logs-ranking +============ + +logs-ranking is a simple Perl script to add [BGP security ranking](http://bgpranking.circl.lu/) for +each IP address seen. The purpose is to ease network security analysis by providing a weight to +each log entry especially when you have large dataset. + +logs-ranking queries two Whois interface: + +* RIPE RIS interface +* CIRCL BGP Ranking interface. + +logs-ranking is currently supporting Apache common/combined logs format. + + +Usage +----- + + cat ../logs/www.foo.be-access.log| perl logs-ranking.pl >www.foo.be-access.log-ranked + +After gathering the BGP security ranking for your logs, it will be prepended to +the log files with the following format: + +,,original line + +So you can use whatever tools to sort, merge, cut the ranked logs. For example, +you can use sort to sort with the higher score value: + + sort -r -g -t"," -k2 myrankedlogfiles.txt + +Software required +----------------- + +* A recent version of Perl +* [Net::Whois::RIS](http://search.cpan.org/dist/Net-Whois-RIS/) + +License +------- + +Copyright (C) 2011 Alexandre Dulaunoy + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . + + diff --git a/git/logs-ranking/bin/logs-ranking.pl b/git/logs-ranking/bin/logs-ranking.pl new file mode 100644 index 0000000..7d2c30a --- /dev/null +++ b/git/logs-ranking/bin/logs-ranking.pl @@ -0,0 +1,94 @@ +#!/usr/bin/perl + +use strict; + +use Net::Whois::RIS; +use Socket; +$| = 1; + +my %iporigin; +my %ipranking; + +sub BGPRankingLookup { + my $asn = shift; + $asn =~ s/AS//g; + my $bgpranking = + IO::Socket::INET->new( PeerAddr => "pdns.circl.lu", PeerPort => 43 ) + or die(); + print $bgpranking $asn . "\n"; + my $x; + while (<$bgpranking>) { + $x = $x . $_; + } + return $x; + + $bgpranking->shutdown(); +} + +sub getASN { + my $ip = shift; #or hostname + + if ( !( $ip =~ /^(\d+\.){3}\d+$/ ) ) { + my $ipn = inet_aton($ip) or next; + $ip = inet_ntoa($ipn); + } + + my $l = Net::Whois::RIS->new(); + $l->getIPInfo($ip); + return $l->getOrigin(); +} + +sub ipExist { + my $ip = shift; + + if ( exists $iporigin{$ip} ) { + return 1; + } + else { + return undef; + } + +} + +sub rankingExist { + my $ip = shift; + + if ( exists $ipranking{$ip} ) { + return 1; + } + else { + return undef; + } +} + +sub ipAdd { + my $ip = shift; + my $asn = shift; + + $iporigin{$ip} = $asn; +} + +sub rankingAdd { + my $ip = shift; + my $ranking = shift; + $ipranking{$ip} = $ranking; + +} + +while () { + my $saved = $_; + my @ipext = split( / /, $_, ); + my $ip = $ipext[0]; + + if ( not ipExist($ip) ) { + ipAdd( $ip, getASN($ip) ); + } + if ( not rankingExist($ip) ) { + my @rankl = split( /,/, BGPRankingLookup( $iporigin{$ip} ) ); + rankingAdd( $ip, $rankl[1] ); + } + + my @rankl = split( /,/, BGPRankingLookup( $iporigin{$ip} ) ); + print $iporigin{$ip} . "," . $ipranking{$ip} . "," . $saved; +} +