English
资源说明:
# Snort Log Parser
This Ruby code parses Snort log files related to a VeRSI project for VU. The log files are taken from a VPN server that has mobile devices connected to it. This parser takes encrypted incoming requests from mobile devices and tries to match them against an unencrypted outgoing requests.
It does this matching (in a fairly dodgy way) by looking at the packet length of an encrypted incoming packet, and finding a corresponding outgoing packet that is 41 bytes shorter.
# Creating the log files
Use a command like the following to start logging with snort:
snort -dev -l ./log_directory
Use a command like the following to create a plain text version of a binary log file:
snort -dv -r snort_binary.log.1336714497 > snort_plain_text.log
# Running the parser
The `Analyser#analyse` function in the main entry point. Look at the rspec tests for an example usage.
Use the rake command to run the rspec tests:
rake
The analyser can also run from the command line:
ruby lib/analyse.rb snort_input_file openpaths_json_file user_ip_address
# An example usage
Here is an example of running through the procedure of gathering data and analysing it.
## Start Time/Date
Make a note of the start date and time:
~ 11:06 am 15/5/2012 (local Mac Laptop time)
~ Tue May 15 01:06:23 UTC 2012 (VPN Time)
## Connect mobile device to VPN
Connect your device to the PopTop VPN. We've got one running on the NeCTAR cloud at 115.146.94.29.
## Make sure OpenPaths is running on mobile device
We're using OpenPaths to collect location data for the mobile device.
## SSH to VPN
ssh -l ubuntu -i ~/.ssh/jared_vpn.pem 115.146.94.29
## Output of `last` on VPN
Now that the mobile device is connected to the VPN you can run `last` to see who is logged in and what their IP address is:
ubuntu pts/2 glong.versi.unim Tue May 15 01:05 still logged in
gdlong ppp0 1.139.60.94 Tue May 15 01:02 still logged in
(Ran `last` again and actual IP is 1.139.177.134)
## Get the time on the VPN
Run `date` to get the VPN machine's time.
## Change to root
sudo -i
## Make a log directory
mkdir log_20120515
## Start snort
snort.bin -dev -l ./log_20120515
## Use the mobile device
Make sure its still connected to the VPN, and navigate to some web pages. For example at the following times I went to the following websites:
* 11:12am - Twitter App
* 11:12am - Facebook App
* 11:14am - ABC App
* 11:14am - Instagram App
* 11:15am - The Age Website (Safari)
## Stop snort
^c
### Output
===============================================================================
Run time for packet processing was 291.34068 seconds
Snort processed 11682 packets.
Snort ran for 0 days 0 hours 4 minutes 51 seconds
Pkts/min: 2920
Pkts/sec: 40
===============================================================================
Packet I/O Totals:
Received: 11682
Analyzed: 11682 (100.000%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
Injected: 0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: 11682 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 11675 ( 99.940%)
Frag: 0 ( 0.000%)
ICMP: 29 ( 0.248%)
UDP: 157 ( 1.344%)
TCP: 6112 ( 52.320%)
IP6: 2 ( 0.017%)
IP6 Ext: 2 ( 0.017%)
IP6 Opts: 0 ( 0.000%)
Frag6: 0 ( 0.000%)
ICMP6: 2 ( 0.017%)
UDP6: 0 ( 0.000%)
TCP6: 0 ( 0.000%)
Teredo: 0 ( 0.000%)
ICMP-IP: 0 ( 0.000%)
EAPOL: 0 ( 0.000%)
IP4/IP4: 0 ( 0.000%)
IP4/IP6: 0 ( 0.000%)
IP6/IP4: 0 ( 0.000%)
IP6/IP6: 0 ( 0.000%)
GRE: 5260 ( 45.027%)
GRE Eth: 0 ( 0.000%)
GRE VLAN: 0 ( 0.000%)
GRE IP4: 0 ( 0.000%)
GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)
GRE PPTP: 5260 ( 45.027%)
GRE ARP: 0 ( 0.000%)
GRE IPX: 0 ( 0.000%)
GRE Loop: 0 ( 0.000%)
MPLS: 0 ( 0.000%)
ARP: 0 ( 0.000%)
IPX: 0 ( 0.000%)
Eth Loop: 0 ( 0.000%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 0 ( 0.000%)
IP6 Disc: 0 ( 0.000%)
TCP Disc: 0 ( 0.000%)
UDP Disc: 0 ( 0.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 0 ( 0.000%)
Other: 122 ( 1.044%)
Bad Chk Sum: 381 ( 3.261%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 0 ( 0.000%)
S5 G 2: 0 ( 0.000%)
Total: 11682
===============================================================================
## Convert the snort log to text
snort.bin -dvC -r log_20120515/snort.log.1337044274 > log_20120515/snort.log.1337044274.txt
tar -zvcf log_20120515.tgz log_20120515
mv log_20120515.tgz ~ubuntu
cd ~ubuntu
chown ubuntu log_20120515.tgz
exit
exit
## Copy the log file to the local PC
scp ubuntu@115.146.94.29:/home/ubuntu/log_20120515.tgz .
tar -zvxf
## Get the openpaths data
You can download the location data for your mobile device from https://openpaths.cc/
## Run analyse.rb
Run analyse. The usage is:
ruby analyse.rb snort_input_file openpaths_json_file user_ip_address
So, for example:
ruby analyse.rb traffic_data/log_20120515/snort.log.1337044274.txt location_data/openpaths_gregorydavidlong.json 1.139.177.134
A list of datagrams with their corresponding locations for the nominated mobile device IP address should be displayed.
# Future enhancements
* Make the output neater and easier to read
* Add graphical data visualisation
* Finish incomplete unit tests
* Add automatic parsing of output from `last` command for selection of IP address. This will also require adding a date range for which we are interested in the IP address.
* Add parsing of KML location data
本源码包内暂不包含可直接显示的源代码文件,请下载源码包。
