Hi all
This is what I have been work on over the weekend and a bit more and now it
works so here it is. Please comment on it. As you might see I my develop a
simple Intrusion Detection System I will be adding more signatures in time
and there is a sensor for it that collects packets of the wire by using
TCPDUMP Develop in Linux Mandrake and is for my dissertation for my degree in
Computer Sceince from Brunel Uni.
#!/usr/bin/perl
use POSIX qw(strftime);
use Time::Local;
use Term::ANSIColor;
use DBI;
use Benchmark;
use IO::Seekable;
use Fcntl':seek';
my $filein = $ARGV[0];
open FILEIN, $filein or die $!;
@T = gmtime(time);
$TZ = "LOC";
my ($dsn) = "DBI:mysql:connections:localhost";
my $host = 'localhost';
my $db = 'connections';
my $db_user = 'root';
my $db_password = "";
my ($dbh, $sth);
my ( @createcode ) = ();
my ( $dc ) = '';
my ( @icmpalert ) = ();
$date = strftime("%Y%m%d%H", @T);
@date = $date;
table();
sub table
{
# Connect to the database
$dbh = DBI->connect ($dsn, $db_user, $db_password, { RaiseError => 1 });
$createcode[0] =
"CREATE TABLE connect (" .
"date VARCHAR(20) NOT NULL," .
"recordtime VARCHAR(20) NOT NULL," .
"srcip VARCHAR(20) NOT NULL," .
"srcport VARCHAR(20) NOT NULL," .
"dstip VARCHAR(20) NOT NULL," .
"dstport VARCHAR(20) NOT NULL);";
$createcode[1] =
"CREATE TABLE icmpalert (" .
"date VARCHAR(20) NOT NULL," .
"recordtime VARCHAR(20) NOT NULL," .
"srcip VARCHAR(30) NOT NULL," .
"dstip VARCHAR(30) NOT NULL," .
"icmpalert VARCHAR(70) NOT NULL);";
doStatements( @createcode );
}
sub doStatements()
{
my ( @Code ) = @_;
foreach $dc ( @Code )
{
$statement = $dbh->prepare( $dc );
$statement->execute();
if ( $statement->errstr )
{
print "error=>";
%theerr = $statement->errstr;
while (($key,$value) = each %theerr)
{
print "$key=>$value\n";
}
}
}
}
&main_prog;
sub main_prog
{
my $counter = 0;
my $counter1 = 0;
#$filepos = tell FILEIN;
for(;;)
{
$filepos = tell FILEIN;
build_db();
$counter++;
icmp_alert();
$counter1++;
print "$counter..$counter1\n";
sleep 50;
seek FILEIN, 0, SEEK_CUR;
}
}
sub build_db()
{
my @traffic;
my @recordtime;
my @srcip;
my @srcport;
my @dstip;
my @dstport;
my @dstport1;
my @temp;
my @temp1;
my @date;
my $counter = 0;
#my $filepos = tell FILEIN;
seek FILEIN, $filepos, SEEK_SET;
while ( <FILEIN> )
{
@traffic = $_;
@traffic = split(/ /, $traffic[0]);
foreach ($traffic[0] =~ m/(\d{2}:\d{2}:\d{2}\.\d{6})/)
{
@recordtime = $traffic[0];
foreach ($traffic[1] =~
m/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/)
{
@temp = $traffic[1];
@temp = split (/\./, $temp[0]);
@srcip = join '.',
($temp[0],$temp[1],$temp[2],$temp[3]);
@srcport = $temp[4];
foreach ($traffic[3] =~
m/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/)
{
@temp1 = $traffic[3];
@temp1 = split (/\./, $temp1[0]);
@dstip = join '.',
($temp1[0],$temp1[1],$temp1[2],$temp1[3]);
@dstip = split (/:/, $dstip[0]);
@dstport1 = $temp1[4];
@dstport1 = split (/:/, $dstport1[0]);
@dstport = $dstport1[0];
$counter++;
# Connects to the databases and loads all the
data
# in to the databases with the date and hour.
my ($dsn) = "DBI:mysql:connections:localhost";
my $host = 'localhost';
my $db = 'connections';
my $db_user = 'root';
my $db_password = "";
my ($dbh, $sth);
my ( @createcode ) = ();
my ( $dc ) = '';
$date = strftime("%Y%m%d%H", @T);
@date = $date;
# Connect to the database
$dbh = DBI->connect ($dsn, $db_user,
$db_password, { RaiseError => 1 });
# Add the records to the databases
$query = $dbh->do (qq{
insert into connect (date, recordtime,
srcip, srcport, dstip, dstport)
values
('@date','@recordtime','@srcip','@srcport','@dstip','@dstport')
});
print "Running in DB: $counter\n";
}
}
}
}
}
sub icmp_alert
{
my @traffic;
my @temp;
my @temp1;
my @recordtime;
my @srcip;
my @dstip;
my @icmpalert;
my @date;
my $counter = 0;
seek FILEIN, $filepos, SEEK_SET;
while ( <FILEIN> )
{
$counter++;
@traffic = $_;
@traffic = split (/\n/, $traffic[0]);
if ($traffic[0] =~ m/icmp: echo request$/g)
{
@temp = $traffic[0];
@temp = split (/\s+/, $temp[0]);
@recordtime = $temp[0];
@srcip = $temp[1];
@temp1 = $temp[3];
@temp1 = split (/:/, $temp1[0]);
@dstip = $temp1[0];
@icmpalert = join ' ', ($temp[4],$temp[5],$temp[6]);
$counter++;
my ($dsn) = "DBI:mysql:connections:localhost";
my $host = 'localhost';
my $db = 'connections';
my $db_user = 'root';
my $db_password = "";
my ($dbh, $sth);
my ( @createcode ) = ();
my ( $dc ) = '';
$date = strftime("%Y%m%d%H", @T);
@date = $date;
# Connect to the database
$dbh = DBI->connect ($dsn, $db_user, $db_password, {
RaiseError => 1 });
# Add the records to the databases
$query = $dbh->do (qq{
insert into icmpalert (date, recordtime,
srcip, dstip, icmpalert)
values
('@date','@recordtime','@srcip','@dstip','@icmpalert')
});
}
else
{
print "Not found\n"; # For testing that these signature works
}
}
}
--
Thank You
Benjamin Jeeves
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
