Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
executable file 2835 lines (2458 sloc) 95 KB
#! /usr/bin/perl -T -w
#-*-Perl-*-
#
# Copyright (c) 2004 Lucio Henrique Franco (lucio@lac.inpe.br) and
# Carlos Henrique Peixoto Caetano Chaves (cae@lac.inpe.br)
#
# All rights reserved.
# Renato Archer Research Center (CenPRA)
# Brazilian National Institute for Space Research (INPE)
# Information System and Network Security Group
# version 0.3 - Thu Apr 15 09:30:31 BRT 2004
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# - Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials
# provided with the distribution.
# - All advertising materials mentioning features or use of this
# software must display the following acknowledgement:
# This product includes software developed by Lucio Henrique
# Franco and Carlos H. P. C. Chaves. CenPRA and INPE aren't
# responsible by use or distribution of this material.
# - Neither the name of the Research Center nor the names of its
# contributors may be used to endorse or promote products
# derived from this software without specific prior written
# permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
##########################################################################
### Modules used by this script
use strict;
use Getopt::Std;
our $program_name;
($program_name = $0) =~ s@.*/@@;
unless (eval "use Net::Netmask; 1") {
die "$program_name: please install Net::Netmask.";
}
unless (eval "use GD; 1") {
die "$program_name: please install GD.";
}
unless (eval "use GD::Graph::pie; 1") {
die "$program_name: please install GD::Graph::pie.";
}
unless (eval "use GD::Graph::bars; 1") {
die "$program_name: please install GD::Graph::bars.";
}
unless (eval "use GD::Graph::bars3d; 1") {
die "$program_name: please install GD::Graph::bars3d.";
}
##########################################################################
### Program name, version and options
our %option = ();
getopts('c:hwV', \%option) || die "$program_name: cannot get options.\n";
our $honeydsum_version = '0.3';
##########################################################################
### Some global declarations
# set PATH for this script
$ENV{'PATH'} = '/bin:/usr/bin:/usr/local/bin';
# unbuffered output
$| = 1;
# IP regexp
our $IP_exp = '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}';
# Timestmap regexp
our $timestamp_exp = '\d{4}\-\d{2}\-\d{2}\-\d{2}\:\d{2}\:\d{2}\.\d{4}';
# Time regexp
our $time = '\d+:\d+:\d+';
# used to read files from command line
our $cat = '/bin/cat';
our $zcat = '/usr/bin/zcat';
our $bzcat = '/usr/local/bin/bzcat';
# configuration file
our @honeyd_conf_files;
our $honeyd_conf = 0;
our $honeydsum_conf_file;
# output html dir/file
our $output_html_file;
our $output_html_dir;
# used to show icmp protocol
our ($proto_show) = 0;
# used to show the number of elements of top
our ($top_show) = 11;
# used to address sanitize
our @real_hp_net;
our @fake_hp_net;
our $real_hp_net_obj;
our $fake_hp_net_obj;
our @real_inst_net;
our @fake_inst_net;
our $real_inst_net_obj;
our $fake_inst_net_obj;
# used to graphics
our %graph_hp_a = ();
our %graph_hp_b = ();
our $person = 0;
our %graphics = ();
##########################################################################
### Checking arguments
# display version if requested
if (defined($option{V})) {
&show_version;
}
# check if there are arguments
if ($#ARGV == -1 || defined($option{h})) {
&show_usage;
}
##########################################################################
### Local variables for Main
my ($file, $viewer, $line);
my ($totalpkts, $tcppkts, $udppkts, $icmppkts);
my (
$timestamp, $proto, $src_ip, $dst_ip, $resource,
$port, $hour, $bytes, $nbr_src_ip, $nbr_dst_ip
);
my (@IP_list) = ();
my (@NET_list) = ();
my (@PORT_list) = ();
my (@PROTO_list) = ();
my (%stat_hash) = ();
my (%src_host_hash) = ();
my (%resource_hash) = ();
my (%hour_hash) = ();
my (%icmp_b40_hash) = ();
my ($cnt, $dez, $uni);
# Print
my $ip_flag;
my ($total_connections) = 0;
my (@total_resource) = ();
my ($total_resource_number) = 0;
my ($total_ip) = 0;
my $control = 0;
my $control_hp;
# Graphics information
our @ip_high = ();
our @total_res = ();
our @total_ips = ();
our @total_con = ();
# HONEYD_CONF
our %honeyd_conf_conv = ();
our %honeyd_conf_print = (
'header' =>
"<table cellpadding=\"2\" cellspacing=\"1\" border=\"1\" style=\"text-align: left; width: 328px; height: auto;\">
<tbody>
<tr>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(51, 51, 51);\" rowspan=\"1\" colspan=\"6\">
<big style=\"color: rgb(255, 255, 102);\">
<span style=\"font-weight: bold;\"><a name=\"honeypots_configuration\"></a>HONEYPOT'S CONFIGURATION</span>
</big>
</td>
</tr>
<tr>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(51, 51, 51);\">
<big style=\"color: rgb(255, 255, 102);\">Operating System
</big>
</td>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(51, 51, 51);\">
<big style=\"color: rgb(255, 255, 102);\">Default TCP Action
</big>
</td>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(51, 51, 51);\">
<big style=\"color: rgb(255, 255, 102);\">Default UDP Action
</big>
</td>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(51, 51, 51);\">
<big style=\"color: rgb(255, 255, 102);\">Default ICMP Action
</big>
</td>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(51, 51, 51);\">
<big style=\"color: rgb(255, 255, 102);\">Ports
</big>
</td>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(51, 51, 51);\">
<big style=\"color: rgb(255, 255, 102);\">IP Address
</big>
</td>
</tr>"
);
$honeyd_conf_print{'foot'} = ("</tbody></table><hr>");
##########################################################################
### Main
# Honeyd.conf
if (defined($option{'c'})) {
$honeydsum_conf_file = $option{'c'};
&parser_config_file($honeydsum_conf_file);
} else {
warn("$program_name: you must inform honeydsum.conf file.\n");
exit 1;
}
# Output as web page
if (defined($option{'w'})) {
if (!($output_html_file = &check_filename($output_html_file))) {
warn("$program_name: " . quotemeta($output_html_file) . " invalid file name.\n");
}
if ($output_html_file =~ /^(.*\/).*/) {
$output_html_dir = $1;
} else {
$output_html_dir = "";
}
open(HTML_FILE, ">" . $output_html_file)
|| die("$program_name: cannot open file.\n");
printf(HTML_FILE "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\n");
printf(HTML_FILE "\"http://www.w3.org/TR/html4/strict.dtd\">\n");
printf(HTML_FILE "<html>\n");
printf(HTML_FILE "<head>\n");
printf(HTML_FILE "<title>HONEYD's CONNECTIONS STATISTICS</title>\n");
printf(HTML_FILE
"<meta http-equiv=\"content-type\" content=\"text/html;charset=iso-8859-1\">\n"
);
printf(HTML_FILE "<script type=\"text/javascript\">
function AbreInst(theURL,winName,features) {
window.open(theURL,winName,features);
}
</script>\n"
);
printf(HTML_FILE "</head>\n");
printf(HTML_FILE "<body>\n");
printf(HTML_FILE
"<table cellpadding=\"2\" cellspacing=\"1\" border=\"1\" style=\"text-align: left; height: auto; width: 316px;\">
<tbody>
<tr>\n"
);
if ($honeyd_conf) {
printf(HTML_FILE
"<td style=\"vertical-align: top; text-align: center; background-color: rgb(204, 204, 204);\">
<span style=\"font-weight: bold;\"><a href=\"#honeypots_configuration\">HONEYPOT'S CONFIGURATION</a>
</span>
<br>
</td>\n"
);
}
printf(HTML_FILE
" <td style=\"vertical-align: top; text-align: center; background-color: rgb(204, 204, 204);\">
<span style=\"font-weight: bold;\"><a href=\"#honeypots_connections\">HONEYPOT'S CONNECTIONS</a>
</span>
<br>
</td>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(204, 204, 204);\">
<span style=\"font-weight: bold;\"><a href=\"#honeypots\">HONEYPOT'S</a>
</span>
<br>
</td>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(204, 204, 204);\">
<span style=\"font-weight: bold;\"><a href=\"#top_source\">Top %s Source Hosts</a>
</span>
<br>
</td>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(204, 204, 204);\">
<span style=\"font-weight: bold;\"><a href=\"#top_accessed\">Top %s Accessed Resources</a>
</span>
<br>
</td>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(204, 204, 204);\">
<span style=\"font-weight: bold;\"><a href=\"#top_icmp\">Top %s ICMP>40 bytes Senders</a>
</span>
<br>
</td>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(204, 204, 204);\">
<span style=\"font-weight: bold;\"><a href=\"#connections\">Connections per Hour</a>
</span>
<br>
</td>
</tr>
</tbody>
</table><hr>\n", ($top_show - 1), ($top_show - 1),
($top_show - 1)
);
}
if (defined($option{'-'})) {
push(@ARGV, "-");
}
# Erase hour hash
$dez = 48;
$uni = 48;
while (!($dez == 50 && $uni == 52)) {
$hour_hash{ chr($dez) . chr($uni) } = 0;
if ($uni == 57) {
$dez++;
$uni = 48;
} else {
$uni++;
}
}
######################################
# Parser
$totalpkts = 0;
$tcppkts = 0;
$udppkts = 0;
$icmppkts = 0;
foreach my $arg (@ARGV) {
if (!($file = &check_filename($arg))) {
$file = quotemeta($arg);
warn("$program_name: $file invalid file name.\n");
next;
}
if ($file =~ /\.bz2$/) {
$viewer = $bzcat;
} elsif ($file =~ /\.gz$/) {
$viewer = $zcat;
} else {
$viewer = $cat;
}
my @viewer_args = ();
push(@viewer_args, $file);
my $pid = open(CHILD_TO_READ1, "-|");
if (!$pid) {
# child
exec($viewer, @viewer_args)
|| die("$program_name: $viewer: cannot exec: $!\n");
# never reached
} else {
# parent
my $line_count = 0;
while ($line = <CHILD_TO_READ1>) {
$line_count++;
chomp($line);
###
#2003-12-16-16:50:29.0837 tcp(6) - xxx.xxx.xxx.xxx 37604 yyy.yyy.yyy.yyy 23: 60 S
#2003-12-16-16:50:29.0863 tcp(6) - xxx.xxx.xxx.xxx 37608 yyy.yyy.yyy.yyy 23: 60 S [Linux 2.6 ]
#2003-12-16-16:50:32.0824 tcp(6) S xxx.xxx.xxx.xxx 37614 yyy.yyy.yyy.yyy 23 [Linux 2.6 ]
#2003-12-16-16:50:33.0388 tcp(6) E xxx.xxx.xxx.xxx 37614 yyy.yyy.yyy.yyy 23: 0 0
#2003-12-16-16:50:41.0267 tcp(6) S xxx.xxx.xxx.xxx 1938 yyy.yyy.yyy.yyy 8080 [Windows 2000 SP4]
#2003-12-16-16:50:42.0484 tcp(6) E xxx.xxx.xxx.xxx 1940 yyy.yyy.yyy.yyy 6588: 151 0
###
if ($line =~
/^($timestamp_exp)\s+(tcp)\(6\)\s+([S|\-|E])\s($IP_exp)\s+\d{1,5}\s+($IP_exp)\s+(\d{1,5})+.*/
)
{
unless ($3 eq "E") {
$timestamp = $1;
$proto = $2;
if ($#real_inst_net != -1) {
$src_ip = &sanitize_ip($4, \@real_inst_net, \@fake_inst_net);
} else {
$src_ip = $4;
}
if ($#real_hp_net != -1) {
$dst_ip = &sanitize_ip($5, \@real_hp_net, \@fake_hp_net);
} else {
$dst_ip = $5;
}
$resource = $6;
if (
(($#IP_list == -1) || (&check_list($dst_ip, @IP_list)))
&& ( ($#NET_list == -1)
|| (&check_net_list($src_ip)))
&& ( ($#PORT_list == -1)
|| (&check_list($resource, @PORT_list)))
&& ( ($#PROTO_list == -1)
|| (&check_list($proto, @PROTO_list)))
)
{
$totalpkts++;
$tcppkts++;
$nbr_src_ip = unpack "N", pack "C4", split /\./, $src_ip;
$nbr_dst_ip = unpack "N", pack "C4", split /\./, $dst_ip;
if (
!defined(
$stat_hash{$nbr_dst_ip}{$nbr_src_ip}{$proto}{$resource}
)
)
{
$stat_hash{$nbr_dst_ip}{$nbr_src_ip}{$proto}{$resource} =
0;
}
$stat_hash{$nbr_dst_ip}{$nbr_src_ip}{$proto}{$resource}++;
if (!defined($src_host_hash{$src_ip})) {
$src_host_hash{$src_ip} = 0;
}
$src_host_hash{$src_ip}++;
if (!defined($resource_hash{ $resource . "/" . $proto })) {
$resource_hash{ $resource . "/" . $proto } = 0;
}
$resource_hash{ $resource . "/" . $proto }++;
if ($timestamp =~ /^\d{4}\-\d{2}\-\d{2}\-(\d{2})\:.*$/) {
$hour = $1;
$hour_hash{$hour}++;
}
}
} else {
next;
}
} elsif ($line =~
/^($timestamp_exp)\s+(udp)\(17\)\s+([S|\-|E])\s+($IP_exp)\s+\d{1,5}\s+($IP_exp)\s+(\d{1,5}).*/
)
{
###
#2003-10-03-21:46:40.0864 udp(17) - xxx.xxx.xxx.xxx 138 yyy.yyy.yyy.yyy 138: 229
#2003-12-17-19:41:19.002 udp(17) S xxx.xxx.xxx.xxx 53 yyy.yyy.yyy.yyy 53
#2003-12-17-19:42:19.017 udp(17) E xxx.xxx.xxx.xxx 53 yyy.yyy.yyy.yyy 53: 18 0
###
unless ($3 eq "E") {
$timestamp = $1;
$proto = $2;
if ($#real_inst_net != -1) {
$src_ip = &sanitize_ip($4, \@real_inst_net, \@fake_inst_net);
} else {
$src_ip = $4;
}
if ($#real_hp_net != -1) {
$dst_ip = &sanitize_ip($5, \@real_hp_net, \@fake_hp_net);
} else {
$dst_ip = $5;
}
$resource = $6;
if (
(($#IP_list == -1) || (&check_list($dst_ip, @IP_list)))
&& (($#NET_list == -1) || (&check_net_list($src_ip)))
&& ( ($#PORT_list == -1)
|| (&check_list($resource, @PORT_list)))
&& ( ($#PROTO_list == -1)
|| (&check_list($proto, @PROTO_list)))
)
{
$totalpkts++;
$udppkts++;
$nbr_src_ip = unpack "N", pack "C4", split /\./, $src_ip;
$nbr_dst_ip = unpack "N", pack "C4", split /\./, $dst_ip;
if (
!defined(
$stat_hash{$nbr_dst_ip}{$nbr_src_ip}{$proto}{$resource}
)
)
{
$stat_hash{$nbr_dst_ip}{$nbr_src_ip}{$proto}{$resource} =
0;
}
$stat_hash{$nbr_dst_ip}{$nbr_src_ip}{$proto}{$resource}++;
if (!defined($src_host_hash{$src_ip})) {
$src_host_hash{$src_ip} = 0;
}
$src_host_hash{$src_ip}++;
if (!defined($resource_hash{ $resource . "/" . $proto })) {
$resource_hash{ $resource . "/" . $proto } = 0;
}
$resource_hash{ $resource . "/" . $proto }++;
if ($timestamp =~ /^\d{4}\-\d{2}\-\d{2}\-(\d{2})\:.*$/) {
$hour = $1;
$hour_hash{$hour}++;
}
}
} else {
next;
}
} elsif ($line =~
/^($timestamp_exp)\s+(icmp)\(1\)\s+\-\s+($IP_exp)\s+($IP_exp)\:\s+(\d{1,2})\(\d{1,2}\)\:\s+(\d+)/
)
{
###
#2003-09-13-00:00:15.0775 icmp(1) - xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy: 8(0): 92
###
$timestamp = $1;
$proto = $2;
if ($#real_inst_net != -1) {
$src_ip = &sanitize_ip($3, \@real_inst_net, \@fake_inst_net);
} else {
$src_ip = $3;
}
if ($#real_hp_net != -1) {
$dst_ip = &sanitize_ip($4, \@real_hp_net, \@fake_hp_net);
} else {
$dst_ip = $4;
}
$resource = $5;
$bytes = $6;
if ( (($#IP_list == -1) || (&check_list($dst_ip, @IP_list)))
&& (($#NET_list == -1) || (&check_net_list($src_ip)))
&& (($#PORT_list == -1) || (&check_list($resource, @PORT_list)))
&& (($#PROTO_list == -1) || (&check_list($proto, @PROTO_list))))
{
$totalpkts++;
$icmppkts++;
$nbr_src_ip = unpack "N", pack "C4", split /\./, $src_ip;
$nbr_dst_ip = unpack "N", pack "C4", split /\./, $dst_ip;
if (
!defined(
$stat_hash{$nbr_dst_ip}{$nbr_src_ip}{$proto}{$resource}
)
)
{
$stat_hash{$nbr_dst_ip}{$nbr_src_ip}{$proto}{$resource} = 0;
}
$stat_hash{$nbr_dst_ip}{$nbr_src_ip}{$proto}{$resource}++;
if (!defined($src_host_hash{$src_ip})) {
$src_host_hash{$src_ip} = 0;
}
$src_host_hash{$src_ip}++;
if (!defined($resource_hash{ $resource . "/" . $proto })) {
$resource_hash{ $resource . "/" . $proto } = 0;
}
$resource_hash{ $resource . "/" . $proto }++;
if ($timestamp =~ /^\d{4}\-\d{2}\-\d{2}\-(\d{2})\:.*$/) {
$hour = $1;
$hour_hash{$hour}++;
}
if ($bytes > 40) {
if (!defined($icmp_b40_hash{$src_ip})) {
$icmp_b40_hash{$src_ip} = 0;
}
$icmp_b40_hash{$src_ip}++;
}
}
} else {
warn("$program_name: unknown format: $line \n");
}
} #end while
close(CHILD_TO_READ1) || warn("$program_name: $viewer: exited $?\n");
} #end else
} #end foreach ARGV
my %src_ip_hash;
if (defined($stat_hash{$nbr_dst_ip})) {
%src_ip_hash = %{ $stat_hash{$nbr_dst_ip} };
} else {
warn("$program_name: element not found!!!\n");
if (defined($option{'w'})) {
close(HTML_FILE);
}
exit 1;
}
if ($honeyd_conf) {
foreach my $honeyd_conf_file (@honeyd_conf_files) {
&ext_honeyd_conf($honeyd_conf_file);
}
}
if (!defined($option{'w'})) { # OUTPUT - TEXT
printf("\n--------------------------------------\n");
printf("Connection Counter\n");
printf("--------------------------------------\n");
printf("Total: %10d\n", $totalpkts);
printf(" TCP: %10d\n", $tcppkts);
printf(" UDP: %10d\n", $udppkts);
printf(" ICMP: %10d\n", $icmppkts);
printf("--------------------------------------\n\n");
my $nbr_dst_ip_txt;
my $dst_ip_txt;
my $nbr_src_ip_txt;
my $src_ip_txt;
my $proto_txt;
my $resource_txt;
foreach $nbr_dst_ip_txt (sort { $a <=> $b } keys %stat_hash) {
my %src_ip_hash_txt = %{ $stat_hash{$nbr_dst_ip_txt} };
my $ip_flag_txt;
my ($total_connections_txt) = 0;
my (@total_resource_txt) = ();
my ($total_resource_number_txt) = 0;
my ($total_ip_txt) = 0;
$dst_ip_txt = join ".", unpack "C4", pack "N", $nbr_dst_ip_txt;
printf("--------------------------------------\n");
printf("Honeypot: %s\n", $dst_ip_txt);
printf("--------------------------------------\n");
printf("%-15s %9s %12s\n", "Source IP", "Resource", "Connections");
foreach $nbr_src_ip_txt (sort { $a <=> $b } keys %src_ip_hash_txt) {
$ip_flag_txt = 0;
my %proto_hash_txt = %{ $src_ip_hash_txt{$nbr_src_ip_txt} };
$src_ip_txt = join ".", unpack "C4", pack "N", $nbr_src_ip_txt;
foreach $proto_txt (keys %proto_hash_txt) {
my %resource_hash_txt = %{ $proto_hash_txt{$proto_txt} };
foreach $resource_txt (sort { $a <=> $b } keys %resource_hash_txt) {
$total_connections_txt =
$total_connections_txt + $resource_hash_txt{$resource_txt};
push(@total_resource_txt, $resource_txt);
if ($ip_flag_txt == 0) {
printf("%-15s %5s/%-5s %5d\n",
$src_ip_txt, $resource_txt, $proto_txt,
$resource_hash_txt{$resource_txt});
$ip_flag_txt = 1;
$total_ip_txt++;
} else {
printf("%-15s %5s/%-5s %5d\n",
" ", $resource_txt, $proto_txt,
$resource_hash_txt{$resource_txt});
}
}
}
}
my (%seen_txt) = ();
my ($item_txt) = ();
foreach $item_txt (@total_resource_txt) {
$total_resource_number_txt++ unless $seen_txt{$item_txt}++;
}
printf("--------------------------------------\n");
printf("%-15s %9s %12s\n", "IPs", "Resources", "Connections");
printf("%-15s %9s %8s\n",
$total_ip_txt, $total_resource_number_txt, $total_connections_txt);
printf("--------------------------------------\n");
}
printf("\n\nTop %s Source Hosts\n\n", ($top_show - 1));
printf("%-4s %-15s %9s\n", "Rank", "Source IP", "Connections");
$cnt = 1;
foreach $src_ip (
sort { $src_host_hash{$b} <=> $src_host_hash{$a} }
keys %src_host_hash
)
{
printf("%-4d %-15s %8d\n", $cnt, $src_ip, $src_host_hash{$src_ip});
$cnt++;
if ($cnt == $top_show) {
last;
}
}
printf("\n\nTop %s Accessed Resources\n\n", ($top_show - 1));
printf("%-4s %-11s %9s\n", "Rank", "Resource", "Connections");
$cnt = 1;
foreach $port (
sort { $resource_hash{$b} <=> $resource_hash{$a} }
keys %resource_hash
)
{
printf("%-4d %-11s %8d\n", $cnt, $port, $resource_hash{$port});
$cnt++;
if ($cnt == $top_show) {
last;
}
}
if ($proto_show == 0 || $proto_show == 5 || $proto_show == 6) {
printf("\n\nTop %s ICMP > 40 bytes Senders\n\n", ($top_show - 1));
printf("%-4s %-15s %9s\n", "Rank", "Source IP", "Connections");
$cnt = 1;
foreach $src_ip (
sort { $icmp_b40_hash{$b} <=> $icmp_b40_hash{$a} }
keys %icmp_b40_hash
)
{
printf("%-4d %-15s %8d\n", $cnt, $src_ip, $icmp_b40_hash{$src_ip});
$cnt++;
if ($cnt == $top_show) {
last;
}
}
}
printf("\n\nConnections per Hour\n\n");
printf("%-5s %9s\n", "Hour", "Connections");
foreach $hour (sort { $a cmp $b } keys %hour_hash) {
printf("%s:00 %8d\n", $hour, $hour_hash{$hour});
}
} else { # OUTPUT - HTML
printf(HTML_FILE
"<table style=\"text-align: left; height: 262px; width: 652px;\" border=\"0\" cellspacing=\"3\" cellpadding=\"3\">
<tbody>
<tr>
<td style=\"text-align: center; vertical-align: middle;\">\n"
);
printf(HTML_FILE
"<table cellpadding=\"2\" cellspacing=\"1\" border=\"1\" style=\"text-align: left; height: auto; width: 272px;\">
<tbody>
<tr>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(51, 51, 51);\" rowspan=\"1\" colspan=\"2\">
<big style=\"color: rgb(255, 255, 102);\">
<span style=\"font-weight: bold;\"><a name=\"honeypots_connections\"></a>HONEYPOT'S CONNECTIONS
</span>
</big>
<br>
</td>
</tr>
<tr>
<td style=\"vertical-align: top; background-color: rgb(153, 153, 153);\" rowspan=\"1\" colspan=\"2\">
<span style=\"font-weight: bold;\">Connection Counter
</span>
<br>
</td>
</tr>\n"
);
printf(HTML_FILE " <tr>
<td style=\"vertical-align: top; color: rgb(0, 0, 0);\">
<span style=\"font-weight: bold; color: rgb(204, 0, 0);\">Total
</span>
<br>
</td>
<td style=\"vertical-align: top; text-align: right; color: rgb(0, 0, 0);\">
<span style=\"font-weight: bold; color: rgb(204, 0, 0);\">%d
</span>
<br>
</td>
</tr>
<tr>
<td style=\"vertical-align: top; color: rgb(0, 0, 0);\">
<span style=\"font-weight: bold; color: rgb(51, 51, 255);\">TCP
</span>
<br>
</td>
<td style=\"vertical-align: top; text-align: right; color: rgb(0, 0, 0);\">
<span style=\"font-weight: bold; color: rgb(51, 51, 255);\">%d
</span>
<br>
</td>
</tr>
<tr>
<td style=\"vertical-align: top; color: rgb(0, 0, 0);\">
<span style=\"font-weight: bold; color: rgb(0, 153, 0);\">UDP
</span>
<br>
</td>
<td style=\"vertical-align: top; text-align: right; color: rgb(0, 0, 0);\">
<span style=\"font-weight: bold; color: rgb(0, 153, 0);\">%d
</span>
<br>
</td>
</tr>
<tr>
<td style=\"vertical-align: top;\">
<span style=\"font-weight: bold;\">ICMP
</span>
<br>
</td>
<td style=\"vertical-align: top; text-align: right;\">
<span style=\"font-weight: bold;\">%d
</span>
<br>
</td>
</tr>
</tbody>
</table>\n", $totalpkts, $tcppkts, $udppkts, $icmppkts
);
my @graph_src = ($tcppkts, $udppkts, $icmppkts);
if ($graphics{'total'}->{'show'}) {
&pie_total_graph("total", @graph_src);
}
# Honeypots' Caption
open(HONEYPOT_CAPTION, ">" . $output_html_dir . "caption.html")
|| die("$program_name: cannot open file\n");
printf(HONEYPOT_CAPTION
"<\!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">
<html>
<head>
<meta http-equiv=\"content-type\"
content=\"text/html; charset=ISO-8859-15\">
<title>Caption</title>\n"
);
printf(HONEYPOT_CAPTION "<script type=\"text/javascript\">
function AbreInst(theURL,winName,features) {
window.open(theURL,winName,features);
}
</script>\n"
);
printf(HONEYPOT_CAPTION "
</head>
<body>
<big><big style=\"font-weight: bold; color: rgb(204, 0, 0);\"></big></big>
<table cellpadding=\"2\" cellspacing=\"1\" border=\"1\" style=\"text-align: left; width: 210px; height: auto;\">
<tbody>
<tr>
<td
style=\"vertical-align: top; text-align: center; background-color: rgb(51, 51, 51);\"
rowspan=\"1\" colspan=\"2\"> <big style=\"color: rgb(255, 255, 102);\"> <span style=\"font-weight: bold;\">HONEYPOT'S CAPTION </span> </big> <br style=\"color: rgb(0, 0, 0);\">
</td>
</tr>
<tr>
<td style=\"vertical-align: top; color: rgb(0, 0, 0); text-align: center; background-color: rgb(153, 153, 153);\">
<span style=\"font-weight: bold; color: rgb(0, 0, 0);\">Honeypot</span><br>
</td>
<td style=\"vertical-align: top; color: rgb(0, 0, 0); text-align: center; background-color: rgb(153, 153, 153);\">
<span style=\"font-weight: bold; color: rgb(0, 0, 0);\">IP</span><br>
</td>
</tr>\n"
);
# show graphics
if ($graphics{'total'}->{'show'}) {
printf(HTML_FILE "</td>
<td style=\"text-align: center; vertical-align: middle;\"><img src=\"total.png\" title=\"%s\" alt=\"\" style=\"width: 282px; height: auto;\"></td>\n",
$graphics{'total'}->{'title'}
);
}
printf(HTML_FILE " </tr> </tbody> </table> <hr>\n");
printf(HTML_FILE
"<table style=\"text-align: left; width: 717px; height: 369px;\" border=\"0\"
cellspacing=\"3\" cellpadding=\"3\">
<tbody>
<tr>
<td style=\"text-align: center; vertical-align: top;\">\n"
);
printf(HTML_FILE
"<table cellpadding=\"2\" cellspacing=\"1\" border=\"1\" style=\"text-align: left; width: 135px; height: auto;\">
<tbody>
<tr>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(51, 51, 51);\" rowspan=\"1\" colspan=\"2\">
<big style=\"color: rgb(255, 255, 102);\">
<span style=\"font-weight: bold;\"><a name=\"honeypots\"></a>HONEYPOT'S</span>
</big>
<br>
</td>
</tr>\n"
);
my $counter = 1;
$control = 0;
foreach $nbr_dst_ip (sort { $a <=> $b } keys %stat_hash) {
my %src_ip_hash = %{ $stat_hash{$nbr_dst_ip} };
my $ip_flag;
$dst_ip = join ".", unpack "C4", pack "N", $nbr_dst_ip;
open(SRC_CAPTION, ">" . $output_html_dir . "caption_" . $dst_ip . ".html")
|| die("$program_name: cannot open file\n");
printf(SRC_CAPTION
"<\!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">
<html>
<head>
<meta http-equiv=\"content-type\"
content=\"text/html; charset=ISO-8859-15\">
<title>Caption</title>
</head>
<body>
<big><big style=\"font-weight: bold; color: rgb(204, 0, 0);\"></big></big>
<table cellpadding=\"2\" cellspacing=\"1\" border=\"1\" style=\"text-align: left; width: 188px; height: auto;\">
<tbody>
<tr>
<td
style=\"vertical-align: top; text-align: center; background-color: rgb(51, 51, 51);\"
rowspan=\"1\" colspan=\"2\"> <big style=\"color: rgb(255, 255, 102);\"> <span style=\"font-weight: bold;\">HONEYPOT'S CAPTION (%s)</span> </big> <br style=\"color: rgb(0, 0, 0);\">
</td>
</tr>
<tr>
<td style=\"vertical-align: top; color: rgb(0, 0, 0); text-align: center; background-color: rgb(192, 192, 192);\">
<span style=\"font-weight: bold; color: rgb(0, 0, 0);\">Honeypot</span><br>
</td>
<td style=\"vertical-align: top; color: rgb(0, 0, 0); text-align: center; background-color: rgb(192, 192, 192);\">
<span style=\"font-weight: bold; color: rgb(0, 0, 0);\">IP</span><br>
</td>
</tr>\n", $dst_ip
);
if ($control) {
printf(HTML_FILE "<tr>
<td style=\"background-color: rgb(192, 192, 192); font-weight: bold; text-align: left; vertical-align: middle;\">%d<br></td>
<td class=\"square\" style=\"background-color: rgb(192, 192, 192); text-align: left; vertical-align: middle;\"> <a href=\"./%s.html\">%s </a> </td> </tr>\n",
$counter, $dst_ip, $dst_ip
);
printf(HONEYPOT_CAPTION
"<tr> <td style=\"vertical-align: top; background-color: rgb(153, 153, 153);\"> <span style=\"font-weight: bold;\">%d</span><br></td> <td style=\"vertical-align: top; text-align: left; background-color: rgb(153, 153, 153);\"> <big style=\"font-weight: bold;\"><small><a href=\'#\' onClick=\"AbreInst(\'%s.html\',\'\',\'\')\">%s </a></small> <span style=\"color: rgb(0, 153, 0);\"></span></big><br> </td> </tr>\n",
$counter, $dst_ip, $dst_ip);
$control = 0;
} else {
printf(HTML_FILE "<tr>
<td style=\"font-weight: bold; text-align: left; vertical-align: middle;\">%d<br>
</td>
<td class=\"square\" style=\"text-align: left; vertical-align: middle;\">
<a href=\"./%s.html\">%s </a> </td>
</tr>\n", $counter, $dst_ip, $dst_ip
);
printf(HONEYPOT_CAPTION
"<tr> <td style=\"vertical-align: top; color: rgb(0, 0, 0);\"> <span style=\"font-weight: bold;\">%d</span><br> </td> <td style=\"vertical-align: top; color: rgb(0, 0, 0); text-align: left;\"> <big style=\"font-weight: bold;\"><small><a href=\'#\' onClick=\"AbreInst(\'%s.html\',\'\',\'\')\">%s </a></small> <span style=\"color: rgb(0, 153, 0);\"></span></big><br> </td> </tr>\n",
$counter, $dst_ip, $dst_ip);
$control = 1;
}
$counter++;
# Honeypot IP page
open(HONEYPOT_HTML, ">" . $output_html_dir . $dst_ip . ".html")
|| die("$program_name: cannot open file\n");
printf(HONEYPOT_HTML
"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\n");
printf(HONEYPOT_HTML "\"http://www.w3.org/TR/html4/strict.dtd\">\n");
printf(HONEYPOT_HTML "<html>\n");
printf(HONEYPOT_HTML "<head>\n");
printf(HONEYPOT_HTML "<script type=\"text/javascript\">
function AbreInst(theURL,winName,features) {
window.open(theURL,winName,features);
}
</script>\n"
);
printf(HONEYPOT_HTML "<title>HONEYPOT: %s</title>\n", $dst_ip);
printf(HONEYPOT_HTML
"<meta http-equiv=\"content-type\" content=\"text/html;charset=iso-8859-1\">\n"
);
printf(HONEYPOT_HTML "</head>\n");
printf(HONEYPOT_HTML "<body>\n");
###################CONFIG######################
#
#
if ($honeyd_conf) {
my $per_tmp;
if (defined($honeyd_conf_conv{$dst_ip})) {
printf(HONEYPOT_HTML $honeyd_conf_print{'header'} . "\n");
$per_tmp = $honeyd_conf_conv{$dst_ip};
printf(HONEYPOT_HTML $honeyd_conf_print{$per_tmp} . "\n");
} else {
printf(HONEYPOT_HTML
"<table cellpadding=\"2\" cellspacing=\"1\" border=\"1\" style=\"text-align: left; width: 320px; height: auto;\">
<tbody>
<tr>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(51, 51, 51);\" rowspan=\"1\" colspan=\"1\"> <big style=\"color: rgb(255, 255, 102);\">
<span style=\"font-weight: bold;\"><a name=\"honeypots_configuration\"></a>HONEYPOT'S CONFIGURATION<br>
</span> </big> </td>
</tr>
<tr style=\"color: rgb(0, 0, 0);\">
<td style=\"text-align: center; vertical-align: middle; background-color: rgb(192, 192, 192);\"
rowspan=\"1\" colspan=\"1\"><big><span style=\"font-weight: bold;\">IP NOT CONFIGURED</span></big></td>
</tr>\n"
);
}
printf(HONEYPOT_HTML $honeyd_conf_print{'foot'} . "\n");
}
printf(HONEYPOT_HTML
"<table cellpadding=\"2\" cellspacing=\"1\" border=\"1\" style=\"text-align: left; width: 135px; height: auto;\"> <tbody> <tr> <td style=\"text-align: center; vertical-align: top;\">\n"
);
printf(HONEYPOT_HTML
"<table cellpadding=\"2\" cellspacing=\"1\" border=\"1\" style=\"text-align: left; width: 135px; height: 100px;\">
<tbody>
<tr>
<td style=\"background-color: rgb(51, 51, 51); text-align: center; vertical-align: middle;\" rowspan=\"1\" colspan=\"4\">
<big style=\"color: rgb(255, 255, 102);\">
<span style=\"font-weight: bold;\">HONEYPOT: %s</span> </big> <br>
</td>
</tr>
<tr>
<td style=\"background-color: rgb(192, 192, 192); text-align: left; vertical-align: middle;\">
<span style=\"font-weight: bold;\">Order</span><br>
</td>
<td class=\"square\" style=\"background-color: rgb(192, 192, 192);\">
<span style=\"font-weight: bold;\">Source IP</span> </td>
<td class=\"square\" style=\"background-color: rgb(192, 192, 192);\">
<span style=\"font-weight: bold;\">Resource</span>
</td>
<td class=\"square\" style=\"background-color: rgb(192, 192, 192); text-align: right;\">
<span style=\"font-weight: bold;\">Connections</span>
</td>
</tr>\n", $dst_ip
);
%graph_hp_a = ();
%graph_hp_b = ();
$control_hp = 1;
$total_ip = 0;
$total_connections = 0;
@total_resource = ();
my $control_hp_caption = 1;
my $counter_src_caption = 1;
foreach $nbr_src_ip (sort { $a <=> $b } keys %src_ip_hash) {
$ip_flag = 0;
my %proto_hash = %{ $src_ip_hash{$nbr_src_ip} };
$src_ip = join ".", unpack "C4", pack "N", $nbr_src_ip;
foreach $proto (keys %proto_hash) {
my %resource_hash = %{ $proto_hash{$proto} };
foreach $resource (sort { $a <=> $b } keys %resource_hash) {
if ($ip_flag == 0) {
if ($control_hp_caption) {
printf(SRC_CAPTION
"<tr> <td style=\"vertical-align: top;\"> <span style=\"font-weight: bold;\">%d</span><br></td> <td style=\"vertical-align: top; text-align: left;\"> <big style=\"font-weight: bold;\"><small>%s </small> <span style=\"color: rgb(0, 153, 0);\"></span></big><br></td></tr>\n",
$counter_src_caption, $src_ip);
$control_hp_caption = 0;
} else {
printf(SRC_CAPTION
"<tr> <td style=\"vertical-align: top; background-color: rgb(192, 192, 192);\"> <span style=\"font-weight: bold;\">%d</span><br></td> <td style=\"vertical-align: top; text-align: left; background-color: rgb(192, 192, 192);\"> <big style=\"font-weight: bold;\"><small>%s </small> <span style=\"color: rgb(0, 153, 0);\"></span></big><br> </td> </tr>\n",
$counter_src_caption, $src_ip);
$control_hp_caption = 1;
}
$counter_src_caption++;
}
printf(HONEYPOT_HTML "<tr>\n");
$total_connections =
$total_connections + $resource_hash{$resource};
push(@total_resource, $resource);
if (!exists $graph_hp_a{$resource}) {
$graph_hp_a{$resource} = $resource_hash{$resource};
} else {
$graph_hp_a{$resource} = $graph_hp_a{$resource} + $resource_hash{$resource};
}
if (!exists $graph_hp_b{$nbr_src_ip}) {
$graph_hp_b{$nbr_src_ip} = { $resource => $resource_hash{$resource} };
} else {
if (!exists $graph_hp_b{$nbr_src_ip}->{$resource}) {
$graph_hp_b{$nbr_src_ip}->{$resource} = $resource_hash{$resource};
} else {
$graph_hp_b{$nbr_src_ip}->{$resource} =
($graph_hp_b{$nbr_src_ip}->{$resource} +
$resource_hash{$resource});
}
}
if ($ip_flag == 0) {
if ($control_hp) {
printf(HONEYPOT_HTML
"<td>%d</td><td>%s</td><td align=right>%s/%s</td><td align=right>%d</td>\n",
($counter_src_caption - 1),
$src_ip, $resource, $proto, $resource_hash{$resource}
);
$control_hp = 0;
} else {
printf(HONEYPOT_HTML
"<td style=\"background-color: rgb(192, 192, 192);\">%d</td><td style=\"background-color: rgb(192, 192, 192);\">%s</td><td align=\"right\" style=\"background-color: rgb(192, 192, 192);\">%s/%s</td><td align=\"right\" style=\"background-color: rgb(192, 192, 192);\">%d</td>\n",
($counter_src_caption - 1),
$src_ip, $resource, $proto, $resource_hash{$resource}
);
$control_hp = 1;
}
$total_ip++;
$ip_flag = 1;
} else {
if ($control_hp) {
printf(HONEYPOT_HTML
"<td>-</td><td></td><td align=right>%s/%s</td><td align=right>%d</td>\n",
$resource, $proto, $resource_hash{$resource});
$control_hp = 0;
} else {
printf(HONEYPOT_HTML
"<td style=\"background-color: rgb(192, 192, 192);\">-</td><td style=\"background-color: rgb(192, 192, 192);\"></td><td align=\"right\" style=\"background-color: rgb(192, 192, 192);\">%s/%s</td><td align=\"right\" style=\"background-color: rgb(192, 192, 192);\">%d</td>\n",
$resource, $proto, $resource_hash{$resource});
$control_hp = 1;
}
}
printf(HONEYPOT_HTML "</tr>\n");
}
}
}
# creating hp graphics
if ($graphics{'ip_b'}->{'show'}) {
&hp_source_ip_graph($dst_ip, \%graph_hp_b);
}
# creating hp graphics
if ($graphics{'ip_a'}->{'show'}) {
&hp_resources_graph($dst_ip, \%graph_hp_a);
}
my (%seen) = ();
my ($item) = ();
foreach $item (@total_resource) {
$total_resource_number++ unless $seen{$item}++;
}
printf(HONEYPOT_HTML "<tr>\n");
printf(HONEYPOT_HTML
"<td style=\"vertical-align: top; text-align: center; background-color: rgb(51, 51, 51);\">
</td>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(51, 51, 51);\">
<big style=\"color: rgb(255, 255, 102);\">
<span style=\"font-weight: bold;\">IPs</span>
</big>
<br>
</td>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(51, 51, 51);\">
<big style=\"color: rgb(255, 255, 102);\">
<span style=\"font-weight: bold;\">Resources</span>
</big>
<br>
</td>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(51, 51, 51);\">
<big style=\"color: rgb(255, 255, 102);\">
<span style=\"font-weight: bold;\">Connections</span>
</big>
<br>
</td>
</tr>\n"
);
printf(HONEYPOT_HTML
"<tr><td align=\"center\" style=\"background-color: rgb(192, 192, 192);\"></td>"
);
printf(HONEYPOT_HTML
"<td align=\"center\" style=\"background-color: rgb(192, 192, 192);\"><span style=\"font-weight: bold;\">%d</span></td>",
$total_ip
);
printf(HONEYPOT_HTML
"<td align=\"center\" style=\"background-color: rgb(192, 192, 192);\"><span style=\"font-weight: bold;\">%d</span></td>",
$total_resource_number
);
printf(HONEYPOT_HTML
"<td align=\"center\" style=\"background-color: rgb(192, 192, 192);\"><span style=\"font-weight: bold;\">%d</span></td>",
$total_connections
);
printf(HONEYPOT_HTML "</tr>\n");
push(@ip_high, $dst_ip);
push(@total_res, $total_resource_number);
push(@total_ips, $total_ip);
push(@total_con, $total_connections);
$total_resource_number = 0;
$total_ip = 0;
$total_connections = 0;
printf(HONEYPOT_HTML "</tbody>\n");
printf(HONEYPOT_HTML "</table>\n");
if ($graphics{'ip_a'}->{'show'} && $graphics{'ip_b'}->{'show'}) {
printf(HONEYPOT_HTML "</td>
<td style=\"text-align: center; vertical-align: top;\"><img src=\"%s_a.png\" title=\"%s\" alt=\"\" style=\"width: 400px; height: 350px;\"><br>\n",
$dst_ip, $graphics{'ip_a'}->{'title'}
);
printf(HONEYPOT_HTML
"<br><hr><img src=\"%s_b.png\" title=\"%s\" alt=\"\" style=\"width: 480px; height: 300px;\">\n",
$dst_ip, $graphics{'ip_b'}->{'title'});
printf(HONEYPOT_HTML "<a href=\'#\' onClick=\"AbreInst(\'caption_"
. $dst_ip
. ".html\',\'\',\'location=no, toolbar=no,directories=no,menubar=no,resizable=no,status=no,scrollbars=yes,width=250,height=800\')\">CAPTION</a><br>\n"
);
} elsif ($graphics{'ip_a'}->{'show'} && !$graphics{'ip_b'}->{'show'}) {
printf(HONEYPOT_HTML "</td>
<td style=\"text-align: center; vertical-align: top;\"><img src=\"%s_a.png\" title=\"%s\" alt=\"\" style=\"width: 400px; height: 350px;\"><br><br>\n",
$dst_ip, $graphics{'ip_a'}->{'title'}
);
} elsif (!$graphics{'ip_a'}->{'show'} && $graphics{'ip_b'}->{'show'}) {
printf(HONEYPOT_HTML "</td>
<td style=\"text-align: center; vertical-align: top;\"><img src=\"%s_b.png\" title=\"%s\" alt=\"\" style=\"width: 450px; height: 300px;\"><br>\n",
$dst_ip, $graphics{'ip_b'}->{'title'}
);
printf(HONEYPOT_HTML "<a href=\'#\' onClick=\"AbreInst(\'caption_"
. $dst_ip
. ".html\',\'\',\'location=no, toolbar=no,directories=no,menubar=no,resizable=no,status=no,scrollbars=yes,width=250,height=800\')\">CAPTION</a><br>\n"
);
}
printf(HONEYPOT_HTML "</td></tr></tbody></table></body></html>\n");
close(HONEYPOT_HTML);
printf(SRC_CAPTION "</tbody> </table> <br>
<a href=\"#\" onClick=\"window.close(-1)\"><small>close</small>
</a>
</body> </html>\n"
);
close(SRC_CAPTION);
}
printf(HONEYPOT_CAPTION "</tbody> </table> <br>
<a href=\"#\" onClick=\"window.close(-1)\"><small>close</small>
</a>
</body> </html>\n"
);
close(HONEYPOT_CAPTION);
printf(HTML_FILE " </tbody>
</table></td>\n"
);
# show graphics
if ($graphics{'honeypot_connections'}->{'show'}) {
printf(HTML_FILE "
<td style=\"text-align: center; vertical-align: middle;\"> <span
style=\"font-weight: bold;\"><img src=\"honeypot_connections.png\"
title=\"%s\" alt=\"\" style=\"width: 539px; height: 310px;\"></span><br>
</td>\n", $graphics{'honeypot_connections'}->{'title'}
);
}
printf(HTML_FILE " </tr> </tbody> </table> <hr>\n");
# show graphics
if ($graphics{'top_src'}->{'show'} || $graphics{'honeypot_ips'}->{'show'}) {
printf(HTML_FILE
"<table style=\"text-align: left; height: 321px; width: 737px;\" border=\"0\" cellspacing=\"3\" cellpadding=\"3\"> <tbody> <tr> <td style=\"text-align: center; vertical-align: middle;\">\n"
);
}
printf(HTML_FILE
"<table cellpadding=\"2\" cellspacing=\"1\" border=\"1\" style=\"text-align: left; width: 268px; height: auto;\">
<tbody>
<tr>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(51, 51, 51);\" rowspan=\"1\" colspan=\"3\"><big style=\"color: rgb(255, 255, 102);\"><span style=\"font-weight: bold;\"><a name=\"top_source\"></a>Top %s Source Hosts</span></big></td>
</tr>
<tr>
<td class=\"square\" style=\"background-color: rgb(192, 192, 192);\"><span style=\"font-weight: bold;\">Rank</span>
</td>
<td class=\"square\" style=\"background-color: rgb(192, 192, 192);\">
<span style=\"font-weight: bold;\">Source IP</span>
</td>
<td class=\"square\" style=\"background-color: rgb(192, 192, 192); text-align: right;\">
<span style=\"font-weight: bold;\">Connections</span>
</td>
</tr>\n", ($top_show - 1)
);
@graph_src = ();
$cnt = 1;
$control = 1;
foreach $src_ip (
sort { $src_host_hash{$b} <=> $src_host_hash{$a} }
keys %src_host_hash
)
{
printf(HTML_FILE "<tr>\n");
if ($control) {
printf(HTML_FILE
"<td style=\"font-weight: bold; text-align: left; vertical-align: middle;\">%d</td><td>%s</td><td align=\"right\">%d</td>",
$cnt, $src_ip, $src_host_hash{$src_ip});
$control = 0;
} else {
printf(HTML_FILE
"<td style=\"font-weight: bold; text-align: left; vertical-align: middle; background-color: rgb(192, 192, 192);\">%d</td><td style=\"background-color: rgb(192, 192, 192);\">%s</td><td align=\"right\" style=\"background-color: rgb(192, 192, 192);\">%d</td>\n",
$cnt, $src_ip, $src_host_hash{$src_ip});
$control = 1;
}
printf(HTML_FILE "</tr>\n");
push(@graph_src, $src_host_hash{$src_ip});
$cnt++;
if ($cnt == $top_show) {
last;
}
}
printf(HTML_FILE "</tbody> </table> \n");
# show graphics
if ($graphics{'top_src'}->{'show'}) {
printf(HTML_FILE "</td>\n");
&bar_graph("top_src", @graph_src);
printf(HTML_FILE
"<td style=\"vertical-align: middle; text-align: center;\"><img src=\"top_src.png\" title=\"%s\" alt=\"\" style=\"width: 500px; height: 300px;\"></td> </tr>\n",
$graphics{'top_src'}->{'title'}
);
}
# show graphics
if ($graphics{'honeypot_ips'}->{'show'}) {
printf(HTML_FILE "<tr>
<td style=\"vertical-align: middle; text-align: center;\" rowspan=\"1\" colspan=\"2\">
<span style=\"font-weight: bold;\"><a name=\"top_source_img\"></a>
<img src=\"honeypot_ips.png\" title=\"%s\" alt=\"\" style=\"height: 300px; width: 613px;\">
</span><br>
<div style=\"text-align: right;\"><small>
<a href=\"#top_source_img\" onclick=\"AbreInst('caption.html','','location=no, toolbar=no,directories=no,menubar=no,resizable=no,status=no,scrollbars=yes,width=250,height=500')\">HONEYPOT'S CAPTION</a></small><br>
</div>
</td></tr>\n", $graphics{'honeypot_ips'}->{'title'}
);
}
# show graphics
if ($graphics{'top_src'}->{'show'} || $graphics{'honeypot_ips'}->{'show'}) {
printf(HTML_FILE "</tbody> </table>\n");
}
printf(HTML_FILE "<hr>\n");
# show graphics
if ( $graphics{'top_port'}->{'show'}
|| $graphics{'honeypot_resources'}->{'show'})
{
printf(HTML_FILE
"<table style=\"text-align: left; height: 268px; width: 737px;\" border=\"0\" cellspacing=\"3\" cellpadding=\"3\"> <tbody> <tr> <td style=\"text-align: center; vertical-align: middle;\">\n"
);
}
printf(HTML_FILE
"<table cellpadding=\"2\" cellspacing=\"1\" border=\"1\" style=\"text-align: left; height: auto; width: 266px;\">
<tbody>
<tr>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(51, 51, 51);\" rowspan=\"1\" colspan=\"3\">
<big style=\"color: rgb(255, 255, 102);\">
<span style=\"font-weight: bold;\"><a name=\"top_accessed\"></a>Top %s Accessed Resources</span>
</big>
</td>
</tr>
<tr>
<td style=\"background-color: rgb(192, 192, 192);\">
<b>Rank
</b>
</td>
<td style=\"background-color: rgb(192, 192, 192);\">
<b>Resource
</b>
</td>
<td style=\"background-color: rgb(192, 192, 192); text-align: right;\">
<b>Connections
</b>
</td>
</tr>\n", ($top_show - 1)
);
$cnt = 1;
$control = 1;
@graph_src = ();
foreach $port (
sort { $resource_hash{$b} <=> $resource_hash{$a} }
keys %resource_hash
)
{
printf(HTML_FILE "<tr>\n");
if ($control) {
printf(HTML_FILE
"<td style=\"font-weight: bold; text-align: left; vertical-align: middle;\">%d</td><td align=\"right\">%s</td><td align=\"right\">%d</td>",
$cnt, $port, $resource_hash{$port});
$control = 0;
} else {
printf(HTML_FILE
"<td style=\"font-weight: bold; text-align: left; vertical-align: middle; background-color: rgb(192, 192, 192);\">%d</td><td align=\"right\" style=\"background-color: rgb(192, 192, 192);\">%s</td><td align=\"right\" style=\"background-color: rgb(192, 192, 192);\">%d</td>",
$cnt, $port, $resource_hash{$port});
$control = 1;
}
printf(HTML_FILE "</tr>\n");
push(@graph_src, $resource_hash{$port});
$cnt++;
if ($cnt == $top_show) {
last;
}
}
printf(HTML_FILE "</tbody> </table>\n");
# show graphics
if ($graphics{'top_port'}->{'show'}) {
&bar_graph("top_port", @graph_src);
printf(HTML_FILE
"<td style=\"vertical-align: middle; text-align: center;\"><img src=\"top_port.png\" title=\"%s\" alt=\"\" style=\"width: 500px; height: 300px;\"></td> </tr>\n",
$graphics{'top_port'}->{'title'}
);
}
# show graphics
if ($graphics{'honeypot_resources'}->{'show'}) {
printf(HTML_FILE "<tr>
<td style=\"text-align: center; vertical-align: middle;\" rowspan=\"1\" colspan=\"2\">
<span style=\"font-weight: bold;\"><a name=\"top_accessed_img\"></a>
<img src=\"honeypot_resources.png\" title=\"%s\" alt=\"\" style=\"height: 300px; width: 650px;\"><br>
</span>
<div style=\"text-align: right;\"><small><a href=\"#top_accessed_img\" onclick=\"AbreInst('caption.html','','location=no, toolbar=no,directories=no,menubar=no,resizable=no,status=no,scrollbars=yes,width=250,height=500')\">HONEYPOT'S CAPTION</a><br>
</small></div>
</td></tr>\n", $graphics{'honeypot_resources'}->{'title'}
);
}
# show graphics
if ( $graphics{'top_port'}->{'show'}
|| $graphics{'honeypot_resources'}->{'show'})
{
printf(HTML_FILE " </tbody> </table>");
}
if ($proto_show == 0 || $proto_show == 5 || $proto_show == 6) {
printf(HTML_FILE "<hr>\n");
if ($graphics{'top_icmp'}->{'show'}) {
printf(HTML_FILE
"<table style=\"text-align: left; height: 321px; width: 737px;\" border=\"0\" cellspacing=\"3\" cellpadding=\"3\"> <tbody> <tr> <td style=\"text-align: center; vertical-align: middle;\">\n"
);
}
printf(HTML_FILE
"<table cellpadding=\"2\" cellspacing=\"1\" border=\"1\" style=\"text-align: left; width: 266px; height: auto;\">
<tbody>
<tr>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(51, 51, 51);\" rowspan=\"1\" colspan=\"3\">
<big style=\"color: rgb(255, 255, 102);\">
<span style=\"font-weight: bold;\"><a name=\"top_icmp\"></a>Top %s ICMP &gt; 40 bytes Senders</span>
</big>
</td>
</tr>
<tr>
<td style=\"background-color: rgb(192, 192, 192);\">
<b>Rank
</b>
</td>
<td style=\"background-color: rgb(192, 192, 192);\">
<b>Source IP
</b>
</td>
<td style=\"background-color: rgb(192, 192, 192); text-align: right;\">
<b>Connections
</b>
</td>
</tr>\n", ($top_show - 1)
);
$cnt = 1;
$control = 1;
@graph_src = ();
foreach $src_ip (
sort { $icmp_b40_hash{$b} <=> $icmp_b40_hash{$a} }
keys %icmp_b40_hash
)
{
printf(HTML_FILE "<tr>\n");
if ($control) {
printf(HTML_FILE
"<td style=\"font-weight: bold; text-align: left; vertical-align: middle;\">%d</td><td>%s</td><td align=right>%d</td>",
$cnt, $src_ip, $icmp_b40_hash{$src_ip});
$control = 0;
} else {
printf(HTML_FILE
"<td style=\"font-weight: bold; text-align: left; vertical-align: middle; background-color: rgb(192, 192, 192);\">%d</td><td style=\"background-color: rgb(192, 192, 192);\">%s</td><td align=\"right\" style=\"background-color: rgb(192, 192, 192);\">%d</td>",
$cnt, $src_ip, $icmp_b40_hash{$src_ip});
$control = 1;
}
printf(HTML_FILE "</tr>\n");
push(@graph_src, $icmp_b40_hash{$src_ip});
$cnt++;
if ($cnt == $top_show) {
last;
}
}
printf(HTML_FILE "</tbody> </table> \n");
# show graphics
if ($graphics{'top_icmp'}->{'show'}) {
&bar_graph("top_icmp", @graph_src);
printf(HTML_FILE "</td>
<td style=\"vertical-align: middle; text-align: center;\"><img src=\"top_icmp.png\" title=\"%s\" alt=\"\" style=\"width: 500px; height: 300px;\"></td>
</tr>
</tbody>
</table>\n", $graphics{'top_icmp'}->{'title'}
);
}
}
printf(HTML_FILE "<hr>\n");
# show graphics
if ($graphics{'hour'}->{'show'}) {
printf(HTML_FILE
"<table style=\"text-align: left; height: 321px; width: 737px;\" border=\"0\" cellspacing=\"3\" cellpadding=\"3\">
<tbody>
<tr>
<td style=\"text-align: center; vertical-align: middle;\">\n"
);
}
printf(HTML_FILE
"<table cellpadding=\"2\" cellspacing=\"1\" border=\"1\" style=\"text-align: left; height: auto; width: 156px;\">
<tbody>
<tr>
<td style=\"vertical-align: top; text-align: center; background-color: rgb(51, 51, 51); white-space: nowrap;\"
rowspan=\"1\" colspan=\"2\"><big style=\"color: rgb(255, 255, 102);\"><span style=\"font-weight: bold;\"><a name=\"connections\"></a>Connections per Hour</span></big> </td>
</tr>
<tr>
<td style=\"background-color: rgb(192, 192, 192);\"><b>Hour</b></td>
<td style=\"text-align: right; background-color: rgb(192, 192, 192);\"><b>Connections</b></td>
</tr>\n"
);
$control = 1;
@graph_src = ();
foreach $hour (sort { $a cmp $b } keys %hour_hash) {
printf(HTML_FILE "<tr>\n");
if ($control) {
printf(HTML_FILE "<td>%s:00</td><td align=\"right\">%d</td>\n",
$hour, $hour_hash{$hour});
$control = 0;
} else {
printf(HTML_FILE
"<td style=\"background-color: rgb(192, 192, 192);\">%s:00</td><td align=\"right\" style=\"background-color: rgb(192, 192, 192);\">%d</td>\n",
$hour, $hour_hash{$hour});
$control = 1;
}
printf(HTML_FILE "</tr>\n");
push(@graph_src, $hour_hash{$hour});
}
printf(HTML_FILE "</tbody> </table> \n");
# show graphics
if ($graphics{'hour'}->{'show'}) {
&bar_graph("hour", @graph_src);
printf(HTML_FILE "</td>
<td style=\"vertical-align: middle; text-align: center;\"><img src=\"hour.png\" title=\"%s\" alt=\"\" style=\"width: 595px; height: 360px;\"></td>
</tr>
</tbody>
</table>\n", $graphics{'hour'}->{'title'}
);
}
printf(HTML_FILE "<hr>\n");
printf(HTML_FILE "</body>\n");
printf(HTML_FILE "</html>");
}
if (defined($option{'w'})) {
close(HTML_FILE);
if ($graphics{'honeypot_connections'}->{'show'}) {
&main_graph("honeypot_connections");
}
if ($graphics{'honeypot_ips'}->{'show'}) {
&main_graph("honeypot_ips");
}
if ($graphics{'honeypot_resources'}->{'show'}) {
&main_graph("honeypot_resources");
}
}
exit 0;
# end of main
##########################################################################
### Subroutines
#-------------------------------------------------------------------------
# Name: ext_honeyd_conf
#
# Description: Extracts the configuration of honeyd
#
# Return values:
# none
#
sub ext_honeyd_conf {
my ($file, $viewer, $line);
my ($pid);
my ($control);
my ($create_flag)=1;
my ($personality);
my ($system_aux) = ();
my (@tcp_ports) = ();
my (@udp_ports) = ();
my (@ips) = ();
my (@ips_aux) = ();
my ($tcp_action) = "-";
my ($udp_action) = "-";
my ($icmp_action) = "-";
my $control_conf = 0;
if (!($file = &check_filename($_[0]))) {
$file = quotemeta($_[0]);
warn("$program_name: $file: invalid file name.\n");
next;
}
if ($file =~ /\.bz2$/) {
$viewer = $bzcat;
} elsif ($file =~ /\.gz$/) {
$viewer = $zcat;
} else {
$viewer = $cat;
}
my @viewer_args = ();
push(@viewer_args, $file);
if (!defined($option{'w'})) {
printf("\n### Honeypot's Configuration ###\n");
} else {
printf(HTML_FILE $honeyd_conf_print{'header'} . "\n");
}
$pid = open(CHILD_TO_READ3, "-|");
if (!$pid) {
# child
exec($viewer, @viewer_args)
|| die("$program_name: $viewer: cannot exec: $!\n");
# never reached
} else {
# parent
$create_flag = 1;
while ($line = <CHILD_TO_READ3>) {
if ($create_flag < 0) {
if ($#IP_list != -1) {
$control = 0;
if ($#ips != -1) {
foreach my $ip (@ips) {
if (&check_list($ip, @IP_list) == 1) {
$control = 1;
push(@ips_aux, $ip);
}
}
}
} else {
$control = 1;
}
if ($control == 1) { #it found the ip
if (!defined($option{'w'})) {
printf("\n");
printf($personality);
printf("\n");
} else {
$personality = $personality . "###";
my $per;
if (!defined($honeyd_conf_print{$personality})) {
$per = $personality;
$per =~ s/###$//g;
$honeyd_conf_print{$personality} = (
"<tr> <td style=\"text-align: center; background-color: rgb(192, 192, 192);\"> <b>$per </b> </td> <td style=\"text-align: center; background-color: rgb(192, 192, 192);\"> <b>$tcp_action </b> </td> <td style=\"text-align: center; background-color: rgb(192, 192, 192);\"> <b>$udp_action </b> </td> <td style=\"text-align: center; background-color: rgb(192, 192, 192);\"> <b>$icmp_action </b> </td>"
);
} else {
$personality = $personality . $person;
$per = $personality;
$per =~ s/###\w*$//g;
$honeyd_conf_print{$personality} = (
"<tr> <td style=\"text-align: center; background-color: rgb(192, 192, 192);\"> <b>$per </b> </td> <td style=\"text-align: center; background-color: rgb(192, 192, 192);\"> <b>$tcp_action </b> </td> <td style=\"text-align: center; background-color: rgb(192, 192, 192);\"> <b>$udp_action </b> </td> <td style=\"text-align: center; background-color: rgb(192, 192, 192);\"> <b>$icmp_action </b> </td>"
);
$person++;
}
printf(HTML_FILE $honeyd_conf_print{$personality} . "\n");
}
if ($#IP_list != -1) {
@ips = @ips_aux;
}
if ($#ips != -1) {
if (!defined($option{'w'})) {
printf("\t( / ");
foreach my $ip (@ips) {
printf("%s / ", $ip);
}
printf(")\n");
}
}
if (defined($option{'w'})) {
$honeyd_conf_print{$personality} =
($honeyd_conf_print{$personality}
. "<td style=\"text-align: right; background-color: rgb(192, 192, 192);\">"
);
printf(HTML_FILE "
<td style=\"text-align: right; background-color: rgb(192, 192, 192);\">\n"
);
}
if ($#tcp_ports != -1) {
foreach my $port (@tcp_ports) {
if (!defined($option{'w'})) {
printf("\t%s/tcp\n", $port);
} else {
$honeyd_conf_print{$personality} =
($honeyd_conf_print{$personality}
. "<b>$port/tcp</b><br>");
printf(HTML_FILE "
<b>%s/tcp
</b>\n", $port
);
}
}
} else {
if (defined($option{'w'}) && $#udp_ports == -1) {
$control_conf = 1;
}
}
if ($#udp_ports != -1) {
foreach my $port (@udp_ports) {
if (!defined($option{'w'})) {
printf("\t%s/udp\n", $port);
} else {
$honeyd_conf_print{$personality} =
($honeyd_conf_print{$personality}
. "<b>$port/udp</b><br>");
printf(HTML_FILE "
<b>%s/udp
</b>\n", $port
);
}
}
} else {
if (defined($option{'w'}) && $control_conf) {
$honeyd_conf_print{$personality} =
($honeyd_conf_print{$personality} . "-</td>");
printf(HTML_FILE "-</td>\n");
$control_conf = 0;
}
}
if ($#ips != -1) {
if (defined($option{'w'})) {
$honeyd_conf_print{$personality} =
($honeyd_conf_print{$personality}
. "<td style=\"text-align: left; background-color: rgb(192, 192, 192);\"><big>"
);
printf(HTML_FILE "
<td style=\"text-align: left; background-color: rgb(192, 192, 192);\">
<big>\n"
);
foreach my $ip (@ips) {
$honeyd_conf_print{$personality} =
($honeyd_conf_print{$personality}
. "<a href=\"./$ip.html\">$ip</a><br>");
printf(HTML_FILE "<a href=\"./%s.html\">%s</a><br>\n",
$ip, $ip);
$honeyd_conf_conv{$ip} = ($personality);
}
$honeyd_conf_print{$personality} =
($honeyd_conf_print{$personality} . "</big></td>");
printf(HTML_FILE "</big></td>\n");
}
} else {
if (defined($option{'w'})) {
$honeyd_conf_print{$personality} =
($honeyd_conf_print{$personality}
. "<td style=\"text-align: left; background-color: rgb(192, 192, 192);\">-</td>"
);
printf(HTML_FILE
"<td style=\"text-align: left; background-color: rgb(192, 192, 192);\">-</td>\n"
);
}
}
if (defined($option{'w'})) {
$honeyd_conf_print{$personality} =
($honeyd_conf_print{$personality} . "</tr>");
printf(HTML_FILE "</tr>");
}
}
@tcp_ports = ();
@udp_ports = ();
@ips = ();
@ips_aux = ();
($tcp_action) = "-";
($udp_action) = "-";
($icmp_action) = "-";
$create_flag++;
}
if ($line =~ /^create\s+(.*)/) {
$create_flag--;
$system_aux = $1;
} elsif ($line =~ /^set\s+\w+\s+personality\s+\"(.*)\"/) {
$personality = $1;
} elsif ($line =~ /^add\s+\w+\s+tcp\s+port\s+(\d{1,5})\s+.*/) {
push(@tcp_ports, $1);
} elsif ($line =~ /^add\s+\w+\s+udp\s+port\s+(\d{1,5})\s+.*/) {
push(@udp_ports, $1);
} elsif ($line =~ /^bind\s+($IP_exp)\s+(.*)/) {
if ($#real_hp_net != -1) {
if (&check_ip($1)) {
push(@ips, &sanitize_ip($1, \@real_hp_net, \@fake_hp_net));
} else {
close(CHILD_TO_READ3);
if (defined($option{'w'})) {
close(HTML_FILE);
}
exit 1;
}
} else {
push(@ips, $1);
}
}
elsif ($line =~ /^set\s+\w+\s+default\s+tcp\s+action\s+(\w+)/) {
$tcp_action = $1;
} elsif ($line =~ /^set\s+\w+\s+default\s+udp\s+action\s+(\w+)/) {
$udp_action = $1;
} elsif ($line =~ /^set\s+\w+\s+default\s+icmp\s+action\s+(\w+)/) {
$icmp_action = $1;
}
}#while
}
close(CHILD_TO_READ3) || warn("$program_name: $viewer: exited $?\n");
if (defined($option{'w'})) {
printf(HTML_FILE $honeyd_conf_print{'foot'} . "\n");
}
}
#-------------------------------------------------------------------------
# Name: check_ip
#
# Description: checks if the IP passed to it is a valid IP address.
#
# Return values:
# 1 = success
# 0 = fail
#
sub check_ip {
my ($IP) = @_;
my ($oct1, $oct2, $oct3, $oct4);
if ($IP =~ /(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/) {
$oct1 = $1;
$oct2 = $2;
$oct3 = $3;
$oct4 = $4;
if ( (($oct1 >= 0) && ($oct1 <= 255))
&& (($oct2 >= 0) && ($oct2 <= 255))
&& (($oct3 >= 0) && ($oct3 <= 255))
&& (($oct4 >= 0) && ($oct4 <= 255)))
{
return 1;
} else {
warn("$program_name: " . $IP . " invalid IP address.\n");
return 0;
}
} else {
$IP = quotemeta($IP);
warn("$program_name: " . $IP . " this isn't an IP address.\n");
return 0;
}
}
#-------------------------------------------------------------------------
# Name: check_port
#
# Description: checks if the PORT passed to it is valid.
#
# Return values:
# 1 = success
# 0 = fail
#
sub check_port {
my ($PORT) = @_;
my ($port1);
if ($PORT =~ /(\d{1,5})/) {
$port1 = $1;
if ((($port1 >= 0) && ($port1 <= 65535))) {
return 1;
} else {
warn("$program_name: " . $PORT . " invalid port number.\n");
return 0;
}
} else {
$PORT = quotemeta($PORT);
warn("$program_name: " . $PORT . " this isn't a port number.\n");
return 0;
}
}
#-------------------------------------------------------------------------
# Name: check_proto
#
# Description: checks if the PROTOCOL passed to it is valid.
#
# Return values:
# 1 = success
# 0 = fail
#
sub check_proto {
my ($PROTO) = @_;
if ($PROTO =~ /tcp/) {
$proto_show += 1;
return 1;
} elsif ($PROTO =~ /udp/) {
$proto_show += 2;
return 1;
} elsif ($PROTO =~ /icmp/) {
$proto_show += 4;
return 1;
} else {
warn("$program_name: " . $PROTO . " invalid protocol name.\n");
return 0;
}
}
#-------------------------------------------------------------------------
# Name: set_list
#
# Description: retrieves the arguments passed to the fuction and
# return a new list
#
sub set_list {
my ($check_option) = $_[0];
shift @_;
my ($LISTs) = @_;
my (@local_list) = ();
my @aux_list;
@aux_list = split(/\s*\,\s*/, $LISTs);
if ($#aux_list != -1) {
foreach my $list (@aux_list) {
if ($check_option =~ /IP/) {
if (&check_ip($list)) {
push(@local_list, $list);
}
} elsif ($check_option =~ /NET/) {
if (&check_ip($list)) {
push(@local_list, $list);
}
} elsif ($check_option =~ /PORT/) {
if (&check_port($list)) {
push(@local_list, $list);
}
} elsif ($check_option =~ /PROTO/) {
if (&check_proto($list)) {
push(@local_list, $list);
}
}
}
}
return @local_list;
}
#-------------------------------------------------------------------------
# Name: check_list
#
# Description: checks if the argument passed to the function belongs to
# (@*_list)
#
# Return values:
# 1 = success
# 0 = fail
#
sub check_list {
my ($ELEMENT) = $_[0];
shift @_;
my (@LIST) = @_;
foreach my $list_elem (@LIST) {
if ("$ELEMENT" eq "$list_elem") {
return 1;
}
}
return 0;
}
#-------------------------------------------------------------------------
# Name: check_net_list
#
# Description: checks if the IP passed to the function belongs to
# (@NET_list)
#
# Return values:
# 1 = success
# 0 = fail
#
sub check_net_list {
my ($NET) = @_;
foreach my $net_list_elem (@NET_list) {
my $net_obj = Net::Netmask->new($net_list_elem);
if (defined($net_obj->{'ERROR'})) {
if (defined($option{'w'})) {
close(HTML_FILE);
}
exit 1;
}
if ($net_obj->match($NET)) {
return 1;
}
}
return 0;
}
#-------------------------------------------------------------------------
# Name: check_filename
#
# Description: checks if filename contains expected characters only.
#
# Return values:
# file = success
# 0 = fail -- file contains some characters that may lead
# to a security problem.
#
sub check_filename {
my ($file) = @_;
return $1 if ($file =~ /^([\w\-\:\_\.\/]+)$/);
return 0;
}
#-------------------------------------------------------------------------
# Name: show_usage
#
# Description: print program usage and exit.
#
# Return values:
# none
#
sub show_usage {
print <<EOF;
Usage: $program_name -c honeydsum.conf [-hVw] log-file1 log-file2 ... log-filen
-c honeydsum.conf file.
-h display this help and exit.
-V display version number and exit.
-w display output as web page (HTML).
EOF
exit 1;
}
#-------------------------------------------------------------------------
# Name: show_version
#
# Description: print program version and exit.
#
# Return values:
# none
#
sub show_version {
printf("$program_name: %s\n", $honeydsum_version);
exit 0;
}
#---------------------------------------------------------------------
# Name: sanitize_ip
#
# Description: IP sanitize with base in address passed as parameter.
#
# Return values:
# ip address sanitized
#
sub sanitize_ip {
my ($ip_db) = $_[0];
shift @_;
my ($real_net_list, $fake_net_list) = @_;
my (@real_net_list);
my (@fake_net_list);
my ($real_net_obj);
my ($fake_net_obj);
my ($real_net);
my $i = 0;
### IP SRC ###
foreach $real_net (@{$real_net_list}) {
$real_net_obj = Net::Netmask->new($real_net);
if (defined($real_net_obj->{'ERROR'})) {
if (defined($option{'w'})) {
close(HTML_FILE);
}
exit 1;
}
if ($real_net_obj->match($ip_db)) {
$fake_net_obj = Net::Netmask->new(@{$fake_net_list}[$i]);
if (defined($fake_net_obj->{'ERROR'})) {
if (defined($option{'w'})) {
close(HTML_FILE);
}
exit 1;
}
my $part_fake_net;
if ($fake_net_obj->bits() <= 8) {
$part_fake_net = substr(@{$fake_net_list}[$i],
0, index(@{$fake_net_list}[$i], "\."))
. substr($ip_db, index($ip_db, "\."), length($ip_db));
} elsif ($fake_net_obj->bits() > 8 && $fake_net_obj->bits() <= 16) {
$part_fake_net = substr(
@{$fake_net_list}[$i],
0,
index(
@{$fake_net_list}[$i], "\.",
index(@{$fake_net_list}[$i], "\.") + 1
)
)
. substr($ip_db, index($ip_db, "\.", index($ip_db, "\.") + 1),
length($ip_db));
} elsif ($fake_net_obj->bits() > 16 && $fake_net_obj->bits() <= 31) {
$part_fake_net = substr(@{$fake_net_list}[$i],
0, rindex(@{$fake_net_list}[$i], "\."))
. substr($ip_db, rindex($ip_db, "\."), length($ip_db));
} else {
warn("$program_name: cannot sanitize: " . $ip_db . "\n");
return $ip_db;
}
if ($fake_net_obj->match($part_fake_net)) {
return $part_fake_net;
} else {
warn("$program_name: cannot sanitize: " . $ip_db . "\n");
return $ip_db;
}
} #end if
$i++;
} #end for
return $ip_db;
}
#---------------------------------------------------------------------
# Name: pie_total_graph
#
# Description: create the total connections graph per protocol
#
# Return values:
# none
#
sub pie_total_graph {
my $graph_name = $_[0];
shift @_;
my @parameter = @_;
if ($#parameter != -1) {
# Both the arrays should same number of entries.
my @data = ([ 'TCP', 'UDP', 'ICMP' ], [ $_[0], $_[1], $_[2] ]);
my $graph = new GD::Graph::pie(250, 250) || die GD::Graph::pie::error();
$graph->set(
title => $graphics{$graph_name}->{'title'},
dclrs => [qw(lblue lgreen black)],
transparent => 1,
axislabelclr => 'white',
'3d' => $graphics{$graph_name}->{'3d'},
start_angle => 90,
suppress_angle => 5,
)
|| die $graph->error;
$graph->set_value_font(GD::Font->MediumBold);
$graph->plot(\@data) || die $graph->error;
open(FIG_FILE, ">" . $output_html_dir . $graph_name . ".png")
|| die("$program_name: cannot open file.\n");
binmode FIG_FILE;
printf(FIG_FILE "%s", $graph->gd->png);
close(FIG_FILE);
}
}
#---------------------------------------------------------------------
# Name: bar_graph
#
# Description: create the bar graphic to top information
#
# Return values:
# none
#
sub bar_graph {
my $graph_name = $_[0];
shift @_;
my @parameter = @_;
my $i = 0;
if ($graph_name =~ /^hour$/) {
$i = -1;
}
if ($#parameter != -1) {
# Both the arrays should same number of entries.
my $datas;
my @y_datas = ();
my @x_datas = ();
foreach $datas (@parameter) {
push(@y_datas, $datas);
push(@x_datas, (++$i));
}
my @data = ([@x_datas], [@y_datas]);
my $graph;
if ($graphics{$graph_name}->{'3d'}) {
$graph = GD::Graph::bars3d->new(500, 300) || die GD::Graph::bars3d::error();
} else {
$graph = GD::Graph::bars->new(500, 300) || die GD::Graph::bars::error();
}
$graph->set(
x_label => $graphics{$graph_name}->{'x_label'},
y_label => $graphics{$graph_name}->{'y_label'},
title => $graphics{$graph_name}->{'title'},
# Show values on top of each bar
show_values => $graphics{$graph_name}->{'show_values'},
box_axis => 1,
)
|| die $graph->error;
my $image = $graph->plot(\@data) or die $graph->error;
open(FIG_FILE, ">" . $output_html_dir . $graph_name . ".png")
|| die("$program_name: cannot open file.\n");
binmode FIG_FILE;
printf(FIG_FILE "%s", $image->png);
close(FIG_FILE);
}
}
#---------------------------------------------------------------------
# Name: main_graphics
#
# Description: create the other graphics
#
# Return values:
# none
#
sub main_graph {
my $graph_name = $_[0];
my @data;
my $graph;
if ($graphics{$graph_name}->{'3d'}) {
$graph = GD::Graph::bars3d->new(500, 300) || die GD::Graph::bars3d::error();
} else {
$graph = GD::Graph::bars->new(500, 300) || die GD::Graph::bars::error();
}
$graph->set(
x_label => $graphics{$graph_name}->{'x_label'},
y_label => $graphics{$graph_name}->{'y_label'},
title => $graphics{$graph_name}->{'title'},
# Draw bars with width 3 pixels
bar_width => 3,
# Sepearte the bars with 4 pixels
bar_spacing => 4,
# Show the grid
long_ticks => 0,
# Show values on top of each bar
show_values => $graphics{$graph_name}->{'show_values'},
)
|| die $graph->error;
$graph->set_legend_font(GD::Font->MediumBold);
my @data_tmp = ();
for (my $i = 0 ; $i <= $#ip_high ; $i++) {
push(@data_tmp, $i + 1);
}
if ( $graph_name eq "honeypot_connections" ) {
@data = ([@data_tmp], [@total_con]);
} elsif ( $graph_name eq "honeypot_ips" ) {
@data = ([@data_tmp], [@total_ips]);
} elsif ( $graph_name eq "honeypot_ips" ) {
@data = ([@data_tmp], [@total_ips]);
} elsif ( $graph_name eq "honeypot_resources" ) {
@data = ([@data_tmp], [@total_res]);
} else {
warn("$program_name: cannot define graphics: $graph_name \n");
}
###############
my $image = $graph->plot(\@data) || die $graph->error;
open(FIG_FILE, ">" . $output_html_dir . $graph_name . ".png")
|| die("$program_name: cannot open file.\n");
binmode FIG_FILE;
printf(FIG_FILE "%s", $image->png);
close(FIG_FILE);
}
#---------------------------------------------------------------------
# Name: hp_resources_graph
#
# Description: create Resources x Connections graphics per each
# honeypot
#
# Return values:
# none
#
sub hp_resources_graph {
my ($graph_name, $resource_sub) = @_;
my %resource_hash_sub = %$resource_sub;
my @data1 = ();
my @data2 = ();
foreach $resource (sort { $a <=> $b } keys %resource_hash_sub) {
push(@data1, $resource);
push(@data2, $resource_hash_sub{$resource});
}
my @data = ([@data1], [@data2]);
my $graph = new GD::Graph::pie(250, 250) || die GD::Graph::pie::error();
$graph->set(
title => $graphics{'ip_a'}->{'title'},
dclrs => [
qw(blue green lorange dblue dgreen lred red dred purple dpurple orange marine lbrown dbrown black)
],
transparent => 1,
axislabelclr => 'white',
'3d' => $graphics{'ip_a'}->{'3d'},
start_angle => 90,
suppress_angle => 5,
)
|| die $graph->error;
$graph->set_value_font(GD::Font->MediumBold);
$graph->plot(\@data) || die $graph->error;
open(FIG_FILE, ">" . $output_html_dir . $graph_name . "_a.png")
|| die("$program_name: cannot open file.\n");
binmode FIG_FILE;
printf(FIG_FILE "%s", $graph->gd->png);
close(FIG_FILE);
}
sub hp_source_ip_graph {
my ($graph_name, $source_sub) = @_;
my %source_hash_sub = %$source_sub;
my $i = 1;
my $src_ip_tmp;
my $nbr_src_ip_tmp;
my @data_tmp = ();
my $counter_tmp = 0;
my $data_new = GD::Graph::Data->new() || die GD::Graph::Data::error();
$i = 0;
foreach $nbr_src_ip_tmp (sort { $a <=> $b } keys %source_hash_sub) {
$src_ip_tmp = join ".", unpack "C4", pack "N", $nbr_src_ip_tmp;
$counter_tmp = 1;
@data_tmp = ();
while (my ($key, $value_tmp) = each(%{ $source_hash_sub{$nbr_src_ip_tmp} })) {
push(@data_tmp, $value_tmp);
}
$data_new->set_x($i, $i + 1);
foreach my $datas (@data_tmp) {
$data_new->set_y($counter_tmp, $i, $datas);
$counter_tmp++;
}
$i++;
}
$data_new->cumulate(1);
my $graph;
if ($graphics{'ip_b'}->{'3d'}) {
$graph = GD::Graph::bars3d->new(500, 300) || die GD::Graph::bars3d::error();
} else {
$graph = GD::Graph::bars->new(500, 300) || die GD::Graph::bars::error();
}
$graph->set(
x_label => $graphics{'ip_b'}->{'x_label'},
y_label => $graphics{'ip_b'}->{'y_label'},
title => $graphics{'ip_b'}->{'title'},
bar_spacing => 3,
long_ticks => 0,
show_values => $graphics{'ip_b'}->{'show_values'},
cumulate => 1,
) || die $graph->error;
my $image = $graph->plot($data_new) or die $graph->error;
open(FIG_FILE, ">" . $output_html_dir . $graph_name . "_b.png")
|| die("$program_name: cannot open file.\n");
binmode FIG_FILE;
printf(FIG_FILE "%s", $image->png);
close(FIG_FILE);
}
#---------------------------------------------------------------------
# Name: parser_config_file
#
# Description: Parser option from config file
#
# Return values:
# none
#
sub parser_config_file {
my $file_tmp;
if (!($file_tmp = &check_filename(@_))) {
$file_tmp = quotemeta(@_);
printf("$program_name: $file: invalid file name.\n");
exit 1;
}
my $name;
if ($file_tmp =~ /\.bz2$/) {
$viewer = $bzcat;
} elsif ($file_tmp =~ /\.gz$/) {
$viewer = $zcat;
} else {
$viewer = $cat;
}
my @viewer_args = ();
push(@viewer_args, $file_tmp);
my $pid = open(CHILD_TO_READ3, "-|");
if (!$pid) {
# child
exec($viewer, @viewer_args)
|| die("$program_name: $viewer: can't exec: $!\n");
# never reached
} else {
# parent
while (<CHILD_TO_READ3>) {
chomp; # no newline
s/#.*//; # no comments
s/^\s+//; # no leading white
s/\s+$//; # no trailing white
s/\'//g; # no trailing white
s/\;//; # no trailing white
next unless length; # anything left?
my ($var, $value) = split(/\s*=\s*/, $_, 2);
if ($var eq "honeyd_conf") {
if ($value =~ /\S+/) {
$honeyd_conf = 1;
@honeyd_conf_files = split(/\s*\,\s*/, $value);
}
} elsif ($var eq "institution_net") {
# Real Institution Network Address
if ($value =~ /\S+/) {
my $real_net;
@real_inst_net = split(/\s*\,\s*/, $value);
foreach $real_net (@real_inst_net) {
$real_inst_net_obj = Net::Netmask->new($real_net);
if (defined($real_inst_net_obj->{'ERROR'})) {
exit 1;
}
}
}
} elsif ($var eq "fake_honeypot_net") {
# Fake Honeypot Network Address
if ($value =~ /\S+/) {
my $fake_net;
@fake_hp_net = split(/\s*\,\s*/, $value);
foreach $fake_net (@fake_hp_net) {
$fake_hp_net_obj = Net::Netmask->new($fake_net);
if (defined($fake_hp_net_obj->{'ERROR'})) {
exit 1;
}
}
}
} elsif ($var eq "honeypot_list") {
# List of honeypot's IP addresses
if ($value =~ /\S+/) {
@IP_list = &set_list("IP", $value);
if ($#IP_list == -1) {
warn("$program_name: cannot set IP list.\n");
exit 1;
}
}
} elsif ($var eq "net_list") {
# source IP or Network addresses for filtering
if ($value =~ /\S+/) {
@NET_list = &set_list("NET", $value);
if ($#NET_list == -1) {
warn("$program_name: cannot set IP or net list.\n");
exit 1;
}
}
} elsif ($var eq "dest_port") {
# List of destination ports
if ($value =~ /\S+/) {
@PORT_list = &set_list("PORT", $value);
if ($#PORT_list == -1) {
warn("$program_name: cannot set port list.\n");
exit 1;
}
}
} elsif ($var eq "real_honeypot_net") {
# Real Honeypot Network Address
if ($value =~ /\S+/) {
my $real_net;
@real_hp_net = split(/\s*\,\s*/, $value);
foreach $real_net (@real_hp_net) {
$real_hp_net_obj = Net::Netmask->new($real_net);
if (defined($real_hp_net_obj->{'ERROR'})) {
exit 1;
}
}
}
} elsif ($var eq "top_information") {
# Number of records on top
if ($value =~ /([0-9]+)/) {
$top_show = $1 + 1;
} else {
warn("$program_name: cannot set top.\n");
exit 1;
}
} elsif ($var eq "proto_list") {
# List of protocols
if ($value =~ /\S+/) {
@PROTO_list = &set_list("PROTO", $value);
if ($#PROTO_list == -1) {
warn("$program_name: cannot set protocol list.\n");
exit 1;
}
}
} elsif ($var eq "fake_institution_net") {
# Fake Institution Network Address
if ($value =~ /\S+/) {
my $fake_net;
@fake_inst_net = split(/\s*\,\s*/, $value);
foreach $fake_net (@fake_inst_net) {
$fake_inst_net_obj = Net::Netmask->new($fake_net);
if (defined($fake_inst_net_obj->{'ERROR'})) {
exit 1;
}
}
}
} elsif ($var eq "html_file") {
# HTML output file
if ($value =~ /\S+/) {
$output_html_file = $value;
} else {
if (defined($option{'w'})) {
warn("$program_name: you must inform html output file\n");
exit 1;
}
}
} elsif ($var eq "name") {
# Graphic's name
if ($value =~ /\S+/) {
$name = $value;
} else {
warn("$program_name: cannot set name: $value \n");
exit 1;
}
} elsif ($var eq "type") {
# Graphic's type
if ($value =~ /^[pie|bar]/) {
$graphics{$name}->{$var} = $value;
} else {
warn("$program_name: cannot set type: $value \n");
exit 1;
}
} elsif ($var eq "title") {
# Graphic's title
if ($value =~ /\S+/) {
$graphics{$name}->{$var} = $value;
} else {
warn("$program_name: cannot set title: $value \n");
exit 1;
}
} elsif ($var eq "show") {
# Show graphic
if ($value =~ /^[y|n]$/) {
$value eq 'y'
? ($graphics{$name}->{$var} = 1)
: ($graphics{$name}->{$var} = 0);
} else {
warn("$program_name: cannot set show: $value \n");
exit 1;
}
} elsif ($var eq "3d") {
# Show graphic as 3d
if ($value =~ /^[y|n]$/) {
$value eq 'y'
? ($graphics{$name}->{$var} = 1)
: ($graphics{$name}->{$var} = 0);
} else {
warn("$program_name: cannot set 3d: $value \n");
exit 1;
}
} elsif ($var eq "show_values") {
# Show graphic values
if ($value =~ /^[y|n]$/) {
$value eq 'y'
? ($graphics{$name}->{$var} = 1)
: ($graphics{$name}->{$var} = 0);
} else {
warn("$program_name: cannot set show_values: $value \n");
exit 1;
}
} elsif ($var eq "x_label") {
# Graphic's x label
if ($value =~ /\S+/) {
$graphics{$name}->{$var} = $value;
} else {
warn("$program_name: cannot set x_label: $value \n");
exit 1;
}
} elsif ($var eq "y_label") {
# Graphic's y label
if ($value =~ /\S+/) {
$graphics{$name}->{$var} = $value;
} else {
warn("$program_name: cannot set y_label: $value \n");
exit 1;
}
} else {
warn("$program_name: cannot define value: $value \n");
exit 1;
}
}
close(CHILD_TO_READ3) || warn("$program_name: $viewer: exited $?\n");
}
# Comparing networks
if ($#real_hp_net != $#fake_hp_net) {
warn(
"$program_name: real and fake honeypot network must have size equals\n"
);
exit 1;
}
if ($#real_inst_net != $#fake_inst_net) {
warn(
"$program_name: real and fake institution network must have size equals\n"
);
exit 1;
}
# Checking institution sanitized network
for (my $i = 0 ; $i <= $#real_inst_net ; $i++) {
$real_inst_net_obj = Net::Netmask->new($real_inst_net[$i]);
if (defined($real_inst_net_obj->{'ERROR'})) {
exit 1;
}
$fake_inst_net_obj = Net::Netmask->new($fake_inst_net[$i]);
if (defined($fake_inst_net_obj->{'ERROR'})) {
exit 1;
}
if ($real_inst_net_obj->bits() != $fake_inst_net_obj->bits()) {
warn(
"$program_name: real and fake institution network must have mask equals\n"
);
exit 1;
}
}
# Checking honeypot sanitized network
for (my $i = 0 ; $i <= $#real_hp_net ; $i++) {
$real_hp_net_obj = Net::Netmask->new($real_hp_net[$i]);
if (defined($real_hp_net_obj->{'ERROR'})) {
exit 1;
}
$fake_hp_net_obj = Net::Netmask->new($fake_hp_net[$i]);
if (defined($fake_hp_net_obj->{'ERROR'})) {
exit 1;
}
if ($real_hp_net_obj->bits() != $fake_hp_net_obj->bits()) {
warn(
"$program_name: real and fake honeypot network must have mask equals\n"
);
exit 1;
}
}
}
######################################################################
### honeydsum.pl ends here