-
Notifications
You must be signed in to change notification settings - Fork 0
/
correlation_analysis_v1.pl
107 lines (94 loc) · 3.82 KB
/
correlation_analysis_v1.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#!/usr/bin/perl -w
#Correlation Analysis Engine for Fatbee
#When an attack's IP address exists for many times within a specific period, warn Administrator.
#Updated on 20171202
require "/usr/local/sbin/fatbee/send_email_through_gmail_v3.pl";
$|=1;
$time_slot=2*60; #Time Slot is 2 minutes.
$repeat_limits=5;
$correlation_analysis_log_file="/usr/local/sbin/fatbee/correlation/correlation_analysis_log.log";
$dangerous_ip_log_file="/usr/local/sbin/fatbee/correlation/dangerous_ip_log_after_analyzing.log";
#Main Function
while(1){
#Start: Create the log file if it does not exist!
if (-e $correlation_analysis_log_file){
;
}else{
system("touch $correlation_analysis_log_file");
}
#End: Create the log file if it does not exist!
#Start: Read the correlation analysis log file being written by other security engines.
open(LOGFILE_READ, "$correlation_analysis_log_file");
@log_content=<LOGFILE_READ>;
chomp(@log_content);
#
#Example of @log_content:
#2017-Dec,Dec-2,tcp,216.36.187.97,57962,0.0.0.0,25
#2017-Dec,Dec-2,tcp,109.230.219.194,55546,0.0.0.0,25
#2017-Dec,Dec-2,tcp,46.102.196.66,63502,0.0.0.0,25
#
close(LOGFILE_READ);
#End: Read the correlation analysis pairs file.
#&correlation_analysis_rule_2(\@log_content);
#Start: Truncate the correlation_analysis_log_file
open(LOGFILE_EMPTY, ">$correlation_analysis_log_file");
print LOGFILE_EMPTY "";
close(LOGFILE_EMPTY);
#End: Truncate the correlation_analysis_log_file
#Start: Take those attackers' IP addresses
undef(@attackers_ip_addressess);
foreach $each_log (@log_content){
if($each_log=~/(.*),(.*),(.*),(.*),(.*),(.*),(.*)/){
push(@attackers_ip_addressess, $4);
}
}
#End: Take those attackers' IP addresses
#Start: Aggregate those duplicated logs.
#The example of aggregation:
#root@LinuxTest:~/test/Correlation_Analysis# cat ./test.pl
##!/usr/bin/perl -w
#use strict;
#use warnings;
#my @array=("abc", "def", "abc", "ghi", "gih", "abc", "gih");
#my %hash=map {$_=>1} @array;
#my @unique=keys %hash;
#print "@unique\n";
#root@LinuxTest:~/test/Correlation_Analysis# ./test.pl
#abc gih def ghi
%hash_attackers_ip_addressess=map {$_=>1} @attackers_ip_addressess;
@unique_attackers_ip_addressess=keys %hash_attackers_ip_addressess;
#End: Aggregate those duplicated logs.
#Start: Count the dangerous IP addresses
undef(@dangerous_ip_addresses); @dangerous_ip_addresses=();
foreach $an_unique_attackers_ip_address (@unique_attackers_ip_addressess){
$counter_a=0;
foreach $a_attacker_ip_address (@attackers_ip_addressess){
if($a_attacker_ip_address eq $an_unique_attackers_ip_address){
$counter_a++;
}
}
if($counter_a >= $repeat_limits){
push(@dangerous_ip_addresses, $an_unique_attackers_ip_address);
}
}
print "\@dangerous_ip_addresses : @dangerous_ip_addresses\n"; #Debug
#End: Count the dangerous IP addresses
$dangerous_ip_addresses_size=@dangerous_ip_addresses;
if($dangerous_ip_addresses_size > 0){
#Start: Organize the output of Correlation Analysis
$current_time_a=`date +\"\%b \%d \%T \%Y\"`;
chop($current_time_a);
$content_regarding_correlation_analysis_alert=$current_time_a.", the following IP address\(es\) must be dangerous: \[@dangerous_ip_addresses\].\n";
#End: Organize the output of Correlation Analysis
#Start: Write down the aforementioned IP to a log
open(DANGEROUS_IP_LOG, ">>$dangerous_ip_log_file");
print DANGEROUS_IP_LOG $content_regarding_correlation_analysis_alert;
close(DANGEROUS_IP_LOG);
#End: Write down the aforementioned IP to a log
#Start: Send an email regarding those dangerous IP addresses
&send_by_gmail("Correlation Analysis Alert!", $content_regarding_correlation_analysis_alert);
#End: Send an email regarding those dangerous IP addresses
}
sleep($time_slot);
}
exit(1);