Class: Suricata::Surilizer

Inherits:
Object
  • Object
show all
Defined in:
lib/suricata/surilizer.rb

Overview

src-ip][counter
src-ip][dst
src-ip][counter
src-ip][desc][counter

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(file = nil) ⇒ Surilizer 


33
34
35
36
37
38
39
 
# File 'lib/suricata/surilizer.rb', line 33

def initialize(file = nil)

  @logfile = Suricata::Logfile.new(file) if not file.nil?
  @src = Hash.new
  @dst = Hash.new
  @lines = Counter.new
end

Instance Attribute Details

#linesObject (readonly)

Returns the value of attribute lines


31
32
33
 
# File 'lib/suricata/surilizer.rb', line 31

def lines
  @lines
end

#logfileObject

Returns the value of attribute logfile


30
31
32
 
# File 'lib/suricata/surilizer.rb', line 30

def logfile
  @logfile
end

#srcObject (readonly)

Returns the value of attribute src


31
32
33
 
# File 'lib/suricata/surilizer.rb', line 31

def src
  @src
end

Instance Method Details

#analyzeObject 


43
44
45
46
47
48
49
50
51
52
53
54
55
56
 
# File 'lib/suricata/surilizer.rb', line 43

def analyze()
  @logfile.readline_parse do |entry|
    @lines.increase
    addCounter(@src,entry.conn.src)
    addEntry(@src[entry.conn.src],'dst',Hash)
    addCounter(@src[entry.conn.src]['dst'],entry.conn.dst)
    addEntry(@src[entry.conn.src]['dst'][entry.conn.dst],'desc',Hash)
    addCounter(@src[entry.conn.src]['dst'][entry.conn.dst]['desc'],entry.description)
    @src[entry.conn.src]['dst'][entry.conn.dst]['desc'][entry.description]['prio'] = entry.priority
    @src[entry.conn.src]['dst'][entry.conn.dst]['desc'][entry.description]['class'] = entry.classification
  end


end

#getUniqEventsObject 


58
59
60
61
62
63
64
65
66
67
68
69
70
 
# File 'lib/suricata/surilizer.rb', line 58

def getUniqEvents
  a = Array.new
  @src.each do |key,val|
    val['dst'].each do  |keya,vala|
    val['dst'][keya]['desc'].each do  |keyb,valb|
      a.push([keyb,val['dst'][keya]['desc'][keyb]['prio']])
    end

    end
  end

  return a.uniq
end

#resultObject 


72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
 
# File 'lib/suricata/surilizer.rb', line 72

def result
  events = getUniqEvents
  puts "======== Suricata Log Analysis ========"
  puts "Events: #{@lines}"
  puts "Unique Sources: #{@src.length}"
  puts "Unique Events: #{events.length}"
  puts "\n"
  puts "======== Unique Events ========="
  puts "\n"
  puts "PRIORITY\t| DESCRIPTION "
  events.sort{ |x,y| x[1] <=> y[1]}.each do |e|
    puts "#{e[1]}\t\t| #{e[0]}"
  end
  puts "\n"

  puts "======== Eventy by source ========"
  @src.each do |key,val|
    puts "Source: #{key}"
    val['dst'].each do  |keya,vala|
    puts "\t-> #{keya}\n"
    val['dst'][keya]['desc'].each do  |keyb,valb|
      puts "\t\t#{valb['counter'].count} x #{keyb} Prio: #{valb['prio']}\n"
    end

    end
    puts ""
  end

end