Changeset 47 for sample/hadoop-0.16/tw/org

Timestamp:

Aug 8, 2008, 4:37:54 PM (16 years ago)

Author:

waue

Message:

SnortBase?.java -> tuning some field
SnortParser?.java -> debug and fix

Location:

sample/hadoop-0.16/tw/org/nchc/code

Files:

• LogParser.java (modified) (1 diff)
• SnortBase.java (modified) (8 diffs)
• SnortParser.java (modified) (4 diffs)

sample/hadoop-0.16/tw/org/nchc/code/LogParser.java

@@ -27 +27 @@
   private String agent;
   private long timestamp;
-
+  
   private static Pattern p = Pattern
   .compile("([^ ]*) ([^ ]*) ([^ ]*) \\[([^]]*)\\] \"([^\"]*)\"" +

sample/hadoop-0.16/tw/org/nchc/code/SnortBase.java

@@ -47 +47 @@
 package tw.org.nchc.code;
 
-import java.io.File;
-import java.io.FileWriter;
 import java.io.IOException;
-import java.text.ParseException;
 import java.text.ParsePosition;
 import java.text.SimpleDateFormat;
@@ -75 +72 @@
 import org.apache.hadoop.mapred.Reporter;
 
-
 class Log {
-
-  public Log(String data)  {
+  String gid, sid, version;
+
+  String alert_name, class_type, priority;
+
+  String source, destination, type;
+
+  // String ttl, tos, id, iplen, dgmlen;
+  
+  String srcport, dstport,tmp;
+  public Log(String data) {
 
     String[] arr = data.split(";");
-
     this.gid = arr[0];
     this.sid = arr[1];
@@ -88 +91 @@
     this.class_type = arr[4];
     this.priority = arr[5];
-    this.timestamp = getTime(arr[7] + "/" + arr[6] + ":" + arr[8]
-        + ":" + arr[9] + ":" + arr[10]);
-//    this.timestamp = now.getTime();
-    this.source = arr[11];
-    this.destination = arr[12];
+    this.timestamp = getTime(arr[7] + "/" + arr[6] + ":" + arr[8] + ":"
+        + arr[9] + ":" + arr[10]);
+    this.source = getIP(arr[11]);
+    this.srcport = this.tmp;
+    this.destination = getIP(arr[12]);
+    this.dstport = this.tmp;
     this.type = arr[13];
-    this.ttl = arr[14];
-    this.tos = arr[15];
-    this.id = arr[16];
-    this.iplen = arr[17];
-    this.dgmlen = arr[18];
-
-  }
-  Date now = new Date(); 
+    // this.ttl = arr[14];
+    // this.tos = arr[15];
+    // this.id = arr[16];
+    // this.iplen = arr[17];
+    // this.dgmlen = arr[18];
+    
+  }
   long timestamp;
 
-  String gid, sid, version;
-
-  String alert_name, class_type, priority;
-
-  String source, destination, type, ttl, tos, id, iplen, dgmlen;
+
+  String getIP(String str){
+    String res;
+    int n = str.indexOf(":");
+    if (n == -1) {
+      res = str;
+      this.tmp = "0";
+    } else {
+      String[] vec = str.split(":");
+      res = vec[0];
+      this.tmp = vec[1];
+    }
+    return res;
+  }
 
   long getTime(String str) {
     SimpleDateFormat sdf = new SimpleDateFormat("dd/MM:HH:mm:ss",
         Locale.TAIWAN);
-    Long timestamp = sdf.parse(str,new ParsePosition(0)).getTime();
+    Long timestamp = sdf.parse(str, new ParsePosition(0)).getTime();
     return timestamp;
   }
@@ -124 +136 @@
   public static final String TABLE = "table.name";
 
-  static String tableName = "SnortBase";
+  static String tableName = "flex";
 
   static HTable table = null;
-
 
   public static class MapClass extends MapReduceBase implements
@@ -143 +154 @@
     public void map(WritableComparable key, Text value,
         OutputCollector<Text, Writable> output, Reporter reporter)
-        throws IOException{
-
-//      try {
-
-        Log log = new Log(value.toString());
-        
-        // 查看value的值
-        FileWriter out = new FileWriter(new File(
-            "/home/waue/Desktop/snort-result.txt"));
-        out.write(value.toString() + "_time=" + log.timestamp + "\n");
-        out.flush();
-        out.close();
-
-        if (table == null)
-          table = new HTable(conf, new Text(tableName));
-
-        long lockId = table.startUpdate(new Text(log.destination));
-        table.put(lockId, new Text("id:gid"), log.gid.getBytes());
-        table.put(lockId, new Text("id:sid"), log.sid.getBytes());
-        table.put(lockId, new Text("id:version"), log.version
-            .getBytes());
-        table.put(lockId, new Text("name:name"), log.alert_name
-            .getBytes());
-        table.put(lockId, new Text("name:class"), log.class_type
-            .getBytes());
-        table.put(lockId, new Text("index:priority"), log.priority
-            .getBytes());
-        table.put(lockId, new Text("index:soure"), log.source
-            .getBytes());
-        table
-            .put(lockId, new Text("payload:type"), log.type
-                .getBytes());
-        table.put(lockId, new Text("payload:ttl"), log.ttl.getBytes());
-        table.put(lockId, new Text("payload:tos"), log.tos.getBytes());
-        table.put(lockId, new Text("payload:id"), log.id.getBytes());
-        table.put(lockId, new Text("payload:iplen"), log.iplen
-            .getBytes());
-        table.put(lockId, new Text("payload:dgmlen"), log.dgmlen
-            .getBytes());
-        table.commit(lockId, log.timestamp);
-
-//      } catch (Exception e) {
-//        e.printStackTrace();
-//      }
+        throws IOException {
+
+      // try {
+
+      Log log = new Log(value.toString());
+
+      // 查看value的值
+      // FileWriter out = new FileWriter(new File(
+      // "/home/waue/Desktop/snort-result.txt"));
+      // out.write(value.toString() + "_time=" + log.timestamp + "\n");
+      // out.flush();
+      // out.close();
+
+      if (table == null)
+        table = new HTable(conf, new Text(tableName));
+
+      long lockId = table.startUpdate(new Text(log.destination));
+      table.put(lockId, new Text("id:gid"), log.gid.getBytes());
+      table.put(lockId, new Text("id:sid"), log.sid.getBytes());
+      table.put(lockId, new Text("id:version"), log.version.getBytes());
+      table.put(lockId, new Text("name:name"), log.alert_name.getBytes());
+      table
+          .put(lockId, new Text("name:class"), log.class_type
+              .getBytes());
+      table.put(lockId, new Text("id:priority"), log.priority
+          .getBytes());
+      table.put(lockId, new Text("direction:soure"), log.source.getBytes());
+      table.put(lockId, new Text("direction:srcport"), log.srcport.getBytes());
+      table.put(lockId, new Text("direction:dstport"), log.dstport.getBytes());
+      table.put(lockId, new Text("payload:type"), log.type.getBytes());
+      // table.put(lockId, new Text("payload:ttl"), log.ttl.getBytes());
+      // table.put(lockId, new Text("payload:tos"), log.tos.getBytes());
+      // table.put(lockId, new Text("payload:id"), log.id.getBytes());
+      // table.put(lockId, new Text("payload:iplen"), log.iplen
+      // .getBytes());
+      // table.put(lockId, new Text("payload:dgmlen"), log.dgmlen
+      // .getBytes());
+      table.commit(lockId, log.timestamp);
+
+      // } catch (Exception e) {
+      // e.printStackTrace();
+      // }
 
     }
@@ -212 +221 @@
     jobConf.set(TABLE, tableName);
     // 先省略 自動搜尋目錄的功能
-    /*
-     * Path[] in = listPaths(fs, InputDir); if (fs.isFile(InputDir)) {
-     * jobConf.setInputPath(InputDir); } else { for (int i = 0; i <
-     * in.length; i++) { if (fs.isFile(in[i])) {
-     * jobConf.addInputPath(in[i]); } else { Path[] sub = listPaths(fs,
-     * in[i]); for (int j = 0; j < sub.length; j++) { if (fs.isFile(sub[j])) {
-     * jobConf.addInputPath(sub[j]); } } } } }
-     */
+    // Path InputDir = new Path(inpath);
+    // Path[] in = listPaths(fs, InputDir);
+    // if (fs.isFile(InputDir))
+    // {
+    // jobConf.setInputPath(InputDir);
+    // }
+    // else{
+    // for (int i = 0; i < in.length; i++){
+    // if (fs.isFile(in[i])){
+    // jobConf.addInputPath(in[i]);
+    // } else
+    // {
+    // Path[] sub = listPaths(fs, in[i]);
+    // for (int j = 0; j < sub.length; j++)
+    // {
+    // if (fs.isFile(sub[j]))
+    // {
+    // jobConf.addInputPath(sub[j]);
+    // } } } } }
+
     jobConf.setInputPath(InputPath);
     jobConf.setOutputPath(tempDir);
@@ -241 +262 @@
       tableDesc.addFamily(new HColumnDescriptor("id:"));
       tableDesc.addFamily(new HColumnDescriptor("name:"));
-      tableDesc.addFamily(new HColumnDescriptor("index:"));
+      tableDesc.addFamily(new HColumnDescriptor("direction:"));
       tableDesc.addFamily(new HColumnDescriptor("payload:"));
-      tableDesc.addFamily(new HColumnDescriptor("priority:"));
       admin.createTable(tableDesc);
     } else {
@@ -253 +273 @@
   public static void main(String[] args) throws IOException, Exception {
 
-    String path = "/user/waue/alert_meta";
+    String path = "/user/waue/snort-log/alert_flex_parsed.txt";
 
     // 先省略掉 parse完後自動上傳部份

sample/hadoop-0.16/tw/org/nchc/code/SnortParser.java

@@ -55 +55 @@
     case 4:
       patten_line = Pattern
-          .compile("^([^ ]*) TTL:([^ ]*) TOS:([^ ]*) ID:([^ ]*) IpLen:([^ ]*) DgmLen:([^ ]*)$");
+          .compile("^([^ ]*) [^$]*$");
+      // .compile("^([^ ]*) TTL:([^ ]*) TOS:([^ ]*) ID:([^ ]*) IpLen:([^ ]*) DgmLen:([^ ]*)$");
+
       break;
     default:
@@ -69 +71 @@
         this.logData += (data[j] + ";");
       }
-
+    }else if(i ==1 ){
+      this.logData += "0;0;0;parse error;";
+    }else if(i == 2){
+      this.logData += "Port Scan;3;";
+    }else if(i == 3){
+      this.logData += "01;01;00;00;00;error;error;";
+    }else if(i == 4){
+      this.logData += "0;";
+    }else{
+      this.logData = "*FatalError*";
     }
 
@@ -83 +94 @@
       if (line == null) {
         break;
-      }else if(line.isEmpty()){
+      } else if (line.isEmpty()) {
         fw.write(this.logData.toString() + "\n");
         this.logData = "";
-        count = 0;        
-      }else if (count < 4) {
+        count = 0;
+      } else if (count < 4) {
         // System.out.println(line);
         snortParser(line, count + 1);
@@ -100 +111 @@
   }
 
+  // 需搞定icmp ping 的格式問題
   public static void main(String[] args) throws ParseException, Exception {
-    String in = new String("/home/waue/Desktop/alert_m");
-    String ou = new String("/tmp/alert_SnortBase");
+    String in = new String("/home/waue/Desktop/alert_flex.txt");
+    String ou = new String("/home/waue/Desktop/alert_flex_parsed.txt");
     SnortParser a = new SnortParser(in, ou);
     a.parseToLine();