Class: Suricata::Surilizer

Inherits:

Object

• Object
• Suricata::Surilizer

Defined in:

lib/suricata/surilizer.rb

Overview

src-ip][counter

src-ip][dst

src-ip][counter

src-ip][desc][counter

Instance Attribute Summary

• #lines ⇒ Object readonly

  Returns the value of attribute lines.

• #logfile ⇒ Object

  Returns the value of attribute logfile.

• #src ⇒ Object readonly

  Returns the value of attribute src.

Instance Method Summary

• #analyze ⇒ Object
• #getUniqEvents ⇒ Object
• #initialize(file = nil) ⇒ Surilizer constructor

  A new instance of Surilizer.

• #result ⇒ Object

Constructor Details

#initialize(file = nil) ⇒ Surilizer

# File 'lib/suricata/surilizer.rb', line 33

def initialize(file = nil)

	@logfile = Suricata::Logfile.new(file) if not file.nil?
	@src = Hash.new
	@dst = Hash.new
	@lines = Counter.new
end

Instance Attribute Details

#lines ⇒ Object (readonly)

Returns the value of attribute lines

# File 'lib/suricata/surilizer.rb', line 31

def lines
  @lines
end

#logfile ⇒ Object

Returns the value of attribute logfile

# File 'lib/suricata/surilizer.rb', line 30

def logfile
  @logfile
end

#src ⇒ Object (readonly)

Returns the value of attribute src

# File 'lib/suricata/surilizer.rb', line 31

def src
  @src
end

Instance Method Details

#analyze ⇒ Object

# File 'lib/suricata/surilizer.rb', line 43

def analyze()
	@logfile.readline_parse do |entry|
		@lines.increase
		addCounter(@src,entry.conn.src)
		addEntry(@src[entry.conn.src],'dst',Hash)
		addCounter(@src[entry.conn.src]['dst'],entry.conn.dst)
		addEntry(@src[entry.conn.src]['dst'][entry.conn.dst],'desc',Hash)
		addCounter(@src[entry.conn.src]['dst'][entry.conn.dst]['desc'],entry.description)
		@src[entry.conn.src]['dst'][entry.conn.dst]['desc'][entry.description]['prio'] = entry.priority
		@src[entry.conn.src]['dst'][entry.conn.dst]['desc'][entry.description]['class'] = entry.classification
	end


end

#getUniqEvents ⇒ Object

# File 'lib/suricata/surilizer.rb', line 58

def getUniqEvents
	a = Array.new
	@src.each do |key,val|
		val['dst'].each do  |keya,vala|
		val['dst'][keya]['desc'].each do  |keyb,valb|
			a.push([keyb,val['dst'][keya]['desc'][keyb]['prio']])
		end

		end
	end

	return a.uniq
end

#result ⇒ Object

# File 'lib/suricata/surilizer.rb', line 72

def result
	events = getUniqEvents
	puts "======== Suricata Log Analysis ========"
	puts "Events: #{@lines}"
	puts "Unique Sources: #{@src.length}"
	puts "Unique Events: #{events.length}"
	puts "\n"
	puts "======== Unique Events ========="
	puts "\n"
	puts "PRIORITY\t| DESCRIPTION "
	events.sort{ |x,y| x[1] <=> y[1]}.each do |e|
		puts "#{e[1]}\t\t| #{e[0]}"
	end
	puts "\n"

	puts "======== Eventy by source ========"
	@src.each do |key,val|
		puts "Source: #{key}"
		val['dst'].each do  |keya,vala|
		puts "\t-> #{keya}\n"
		val['dst'][keya]['desc'].each do  |keyb,valb|
			puts "\t\t#{valb['counter'].count} x #{keyb} Prio: #{valb['prio']}\n"
		end

		end
		puts ""
	end

end