Initial version of logs ranking

git/logs-ranking/README.md

@@ -0,0 +1,55 @@
+logs-ranking
+============
+
+logs-ranking is a simple Perl script to add [BGP security ranking](http://bgpranking.circl.lu/) for
+each IP address seen. The purpose is to ease network security analysis by providing a weight to
+each log entry especially when you have large dataset.
+
+logs-ranking queries two Whois interface:
+
+* RIPE RIS interface
+* CIRCL BGP Ranking interface.
+
+logs-ranking is currently supporting Apache common/combined logs format.
+
+
+Usage
+-----
+
+    cat ../logs/www.foo.be-access.log|  perl logs-ranking.pl >www.foo.be-access.log-ranked
+
+After gathering the BGP security ranking for your logs, it will be prepended to
+the log files with the following format:
+
+<ASN>,<BGP ranking value in float>,original line
+
+So you can use whatever tools to sort, merge, cut the ranked logs. For example,
+you can use sort to sort with the higher score value:
+
+    sort -r -g -t"," -k2 myrankedlogfiles.txt
+
+Software required
+-----------------
+
+* A recent version of Perl
+* [Net::Whois::RIS](http://search.cpan.org/dist/Net-Whois-RIS/)
+
+License
+-------
+
+Copyright (C) 2011 Alexandre Dulaunoy
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+

git/logs-ranking/bin/logs-ranking.pl

@@ -0,0 +1,94 @@
+#!/usr/bin/perl
+
+use strict;
+
+use Net::Whois::RIS;
+use Socket;
+$| = 1;
+
+my %iporigin;
+my %ipranking;
+
+sub BGPRankingLookup {
+    my $asn = shift;
+    $asn =~ s/AS//g;
+    my $bgpranking =
+      IO::Socket::INET->new( PeerAddr => "pdns.circl.lu", PeerPort => 43 )
+      or die();
+    print $bgpranking $asn . "\n";
+    my $x;
+    while (<$bgpranking>) {
+        $x = $x . $_;
+    }
+    return $x;
+
+    $bgpranking->shutdown();
+}
+
+sub getASN {
+    my $ip = shift;    #or hostname
+
+    if ( !( $ip =~ /^(\d+\.){3}\d+$/ ) ) {
+        my $ipn = inet_aton($ip) or next;
+        $ip = inet_ntoa($ipn);
+    }
+
+    my $l = Net::Whois::RIS->new();
+    $l->getIPInfo($ip);
+    return $l->getOrigin();
+}
+
+sub ipExist {
+    my $ip = shift;
+
+    if ( exists $iporigin{$ip} ) {
+        return 1;
+    }
+    else {
+        return undef;
+    }
+
+}
+
+sub rankingExist {
+    my $ip = shift;
+
+    if ( exists $ipranking{$ip} ) {
+        return 1;
+    }
+    else {
+        return undef;
+    }
+}
+
+sub ipAdd {
+    my $ip  = shift;
+    my $asn = shift;
+
+    $iporigin{$ip} = $asn;
+}
+
+sub rankingAdd {
+    my $ip      = shift;
+    my $ranking = shift;
+    $ipranking{$ip} = $ranking;
+
+}
+
+while (<STDIN>) {
+    my $saved = $_;
+    my @ipext = split( / /, $_, );
+    my $ip    = $ipext[0];
+
+    if ( not ipExist($ip) ) {
+        ipAdd( $ip, getASN($ip) );
+    }
+    if ( not rankingExist($ip) ) {
+        my @rankl = split( /,/, BGPRankingLookup( $iporigin{$ip} ) );
+        rankingAdd( $ip, $rankl[1] );
+    }
+
+    my @rankl = split( /,/, BGPRankingLookup( $iporigin{$ip} ) );
+    print $iporigin{$ip} . "," . $ipranking{$ip} . "," . $saved;
+}
+