Index: sample/hadoop-0.16/test.java =================================================================== --- sample/hadoop-0.16/test.java (revision 46) +++ sample/hadoop-0.16/test.java (revision 47) @@ -282,4 +282,57 @@ } + void selRegular(String str) { + Pattern patten_line1, patten_line2; + Matcher matcher; + String logData = new String(); + + patten_line1 = Pattern + .compile("^\\[Classification: ([^\\]]*)\\] \\[Priority: ([1-9]*)\\].*$"); + patten_line2 = Pattern.compile("^\\[Priority: ([1-9]*)\\].*$"); + matcher = patten_line1.matcher(str); + + if (matcher.matches()) { + int number = matcher.groupCount(); + String[] data = new String[number]; + for (int j = 0; j < number; j++) { + data[j] = matcher.group(j + 1); + logData += (data[j] + ";"); + } + } else { + matcher = patten_line2.matcher(str); + if (matcher.matches()) { + logData = "Port Scan;" + matcher.group(1) + ";"; + } else { + logData = ";;"; + } + } + + System.out.println(logData); + System.out.println("end"); + + } + void splitExc(){ + String arr = "140.110.1.1:255"; + int n = arr.indexOf(":"); + if (n == -1) { + System.out.println("ip :" + arr); + } else { + System.out.println("ok"); + String[] vec = arr.split(":"); + System.out.println("ip :" + vec[0]); + System.out.println("port :" + vec[1]); + } + } + void callByRefFun(int a,int b){ + b = a; + } + void callByRef(){ + test t = new test(); + this.na =5; + int b = 10; + t.callByRefFun(b, this.na); + System.out.println(this.na); + } + public static void main(String[] args) throws Exception { @@ -305,5 +358,14 @@ // 測試取得現在時間 // t.getNowTime(); - t.setTime(); + // t.setTime(); + // 測試 選擇性正規表示法 + // t.selRegular(String str); + // 測試 split()的例外處理 + // t.splitExc(); + t.callByRef(); + + // if(vec[1] != null){ + // System.out.print(" \nport:" + vec[1] ); + // } } Index: sample/hadoop-0.16/tw/org/nchc/code/LogParser.java =================================================================== --- sample/hadoop-0.16/tw/org/nchc/code/LogParser.java (revision 46) +++ sample/hadoop-0.16/tw/org/nchc/code/LogParser.java (revision 47) @@ -27,5 +27,5 @@ private String agent; private long timestamp; - + private static Pattern p = Pattern .compile("([^ ]*) ([^ ]*) ([^ ]*) \\[([^]]*)\\] \"([^\"]*)\"" + Index: sample/hadoop-0.16/tw/org/nchc/code/SnortBase.java =================================================================== --- sample/hadoop-0.16/tw/org/nchc/code/SnortBase.java (revision 46) +++ sample/hadoop-0.16/tw/org/nchc/code/SnortBase.java (revision 47) @@ -47,8 +47,5 @@ package tw.org.nchc.code; -import java.io.File; -import java.io.FileWriter; import java.io.IOException; -import java.text.ParseException; import java.text.ParsePosition; import java.text.SimpleDateFormat; @@ -75,11 +72,17 @@ import org.apache.hadoop.mapred.Reporter; - class Log { - - public Log(String data) { + String gid, sid, version; + + String alert_name, class_type, priority; + + String source, destination, type; + + // String ttl, tos, id, iplen, dgmlen; + + String srcport, dstport,tmp; + public Log(String data) { String[] arr = data.split(";"); - this.gid = arr[0]; this.sid = arr[1]; @@ -88,30 +91,39 @@ this.class_type = arr[4]; this.priority = arr[5]; - this.timestamp = getTime(arr[7] + "/" + arr[6] + ":" + arr[8] - + ":" + arr[9] + ":" + arr[10]); -// this.timestamp = now.getTime(); - this.source = arr[11]; - this.destination = arr[12]; + this.timestamp = getTime(arr[7] + "/" + arr[6] + ":" + arr[8] + ":" + + arr[9] + ":" + arr[10]); + this.source = getIP(arr[11]); + this.srcport = this.tmp; + this.destination = getIP(arr[12]); + this.dstport = this.tmp; this.type = arr[13]; - this.ttl = arr[14]; - this.tos = arr[15]; - this.id = arr[16]; - this.iplen = arr[17]; - this.dgmlen = arr[18]; - - } - Date now = new Date(); + // this.ttl = arr[14]; + // this.tos = arr[15]; + // this.id = arr[16]; + // this.iplen = arr[17]; + // this.dgmlen = arr[18]; + + } long timestamp; - String gid, sid, version; - - String alert_name, class_type, priority; - - String source, destination, type, ttl, tos, id, iplen, dgmlen; + + String getIP(String str){ + String res; + int n = str.indexOf(":"); + if (n == -1) { + res = str; + this.tmp = "0"; + } else { + String[] vec = str.split(":"); + res = vec[0]; + this.tmp = vec[1]; + } + return res; + } long getTime(String str) { SimpleDateFormat sdf = new SimpleDateFormat("dd/MM:HH:mm:ss", Locale.TAIWAN); - Long timestamp = sdf.parse(str,new ParsePosition(0)).getTime(); + Long timestamp = sdf.parse(str, new ParsePosition(0)).getTime(); return timestamp; } @@ -124,8 +136,7 @@ public static final String TABLE = "table.name"; - static String tableName = "SnortBase"; + static String tableName = "flex"; static HTable table = null; - public static class MapClass extends MapReduceBase implements @@ -143,48 +154,46 @@ public void map(WritableComparable key, Text value, OutputCollector output, Reporter reporter) - throws IOException{ - -// try { - - Log log = new Log(value.toString()); - - // 查看value的值 - FileWriter out = new FileWriter(new File( - "/home/waue/Desktop/snort-result.txt")); - out.write(value.toString() + "_time=" + log.timestamp + "\n"); - out.flush(); - out.close(); - - if (table == null) - table = new HTable(conf, new Text(tableName)); - - long lockId = table.startUpdate(new Text(log.destination)); - table.put(lockId, new Text("id:gid"), log.gid.getBytes()); - table.put(lockId, new Text("id:sid"), log.sid.getBytes()); - table.put(lockId, new Text("id:version"), log.version - .getBytes()); - table.put(lockId, new Text("name:name"), log.alert_name - .getBytes()); - table.put(lockId, new Text("name:class"), log.class_type - .getBytes()); - table.put(lockId, new Text("index:priority"), log.priority - .getBytes()); - table.put(lockId, new Text("index:soure"), log.source - .getBytes()); - table - .put(lockId, new Text("payload:type"), log.type - .getBytes()); - table.put(lockId, new Text("payload:ttl"), log.ttl.getBytes()); - table.put(lockId, new Text("payload:tos"), log.tos.getBytes()); - table.put(lockId, new Text("payload:id"), log.id.getBytes()); - table.put(lockId, new Text("payload:iplen"), log.iplen - .getBytes()); - table.put(lockId, new Text("payload:dgmlen"), log.dgmlen - .getBytes()); - table.commit(lockId, log.timestamp); - -// } catch (Exception e) { -// e.printStackTrace(); -// } + throws IOException { + + // try { + + Log log = new Log(value.toString()); + + // 查看value的值 + // FileWriter out = new FileWriter(new File( + // "/home/waue/Desktop/snort-result.txt")); + // out.write(value.toString() + "_time=" + log.timestamp + "\n"); + // out.flush(); + // out.close(); + + if (table == null) + table = new HTable(conf, new Text(tableName)); + + long lockId = table.startUpdate(new Text(log.destination)); + table.put(lockId, new Text("id:gid"), log.gid.getBytes()); + table.put(lockId, new Text("id:sid"), log.sid.getBytes()); + table.put(lockId, new Text("id:version"), log.version.getBytes()); + table.put(lockId, new Text("name:name"), log.alert_name.getBytes()); + table + .put(lockId, new Text("name:class"), log.class_type + .getBytes()); + table.put(lockId, new Text("id:priority"), log.priority + .getBytes()); + table.put(lockId, new Text("direction:soure"), log.source.getBytes()); + table.put(lockId, new Text("direction:srcport"), log.srcport.getBytes()); + table.put(lockId, new Text("direction:dstport"), log.dstport.getBytes()); + table.put(lockId, new Text("payload:type"), log.type.getBytes()); + // table.put(lockId, new Text("payload:ttl"), log.ttl.getBytes()); + // table.put(lockId, new Text("payload:tos"), log.tos.getBytes()); + // table.put(lockId, new Text("payload:id"), log.id.getBytes()); + // table.put(lockId, new Text("payload:iplen"), log.iplen + // .getBytes()); + // table.put(lockId, new Text("payload:dgmlen"), log.dgmlen + // .getBytes()); + table.commit(lockId, log.timestamp); + + // } catch (Exception e) { + // e.printStackTrace(); + // } } @@ -212,12 +221,24 @@ jobConf.set(TABLE, tableName); // 先省略 自動搜尋目錄的功能 - /* - * Path[] in = listPaths(fs, InputDir); if (fs.isFile(InputDir)) { - * jobConf.setInputPath(InputDir); } else { for (int i = 0; i < - * in.length; i++) { if (fs.isFile(in[i])) { - * jobConf.addInputPath(in[i]); } else { Path[] sub = listPaths(fs, - * in[i]); for (int j = 0; j < sub.length; j++) { if (fs.isFile(sub[j])) { - * jobConf.addInputPath(sub[j]); } } } } } - */ + // Path InputDir = new Path(inpath); + // Path[] in = listPaths(fs, InputDir); + // if (fs.isFile(InputDir)) + // { + // jobConf.setInputPath(InputDir); + // } + // else{ + // for (int i = 0; i < in.length; i++){ + // if (fs.isFile(in[i])){ + // jobConf.addInputPath(in[i]); + // } else + // { + // Path[] sub = listPaths(fs, in[i]); + // for (int j = 0; j < sub.length; j++) + // { + // if (fs.isFile(sub[j])) + // { + // jobConf.addInputPath(sub[j]); + // } } } } } + jobConf.setInputPath(InputPath); jobConf.setOutputPath(tempDir); @@ -241,7 +262,6 @@ tableDesc.addFamily(new HColumnDescriptor("id:")); tableDesc.addFamily(new HColumnDescriptor("name:")); - tableDesc.addFamily(new HColumnDescriptor("index:")); + tableDesc.addFamily(new HColumnDescriptor("direction:")); tableDesc.addFamily(new HColumnDescriptor("payload:")); - tableDesc.addFamily(new HColumnDescriptor("priority:")); admin.createTable(tableDesc); } else { @@ -253,5 +273,5 @@ public static void main(String[] args) throws IOException, Exception { - String path = "/user/waue/alert_meta"; + String path = "/user/waue/snort-log/alert_flex_parsed.txt"; // 先省略掉 parse完後自動上傳部份 Index: sample/hadoop-0.16/tw/org/nchc/code/SnortParser.java =================================================================== --- sample/hadoop-0.16/tw/org/nchc/code/SnortParser.java (revision 46) +++ sample/hadoop-0.16/tw/org/nchc/code/SnortParser.java (revision 47) @@ -55,5 +55,7 @@ case 4: patten_line = Pattern - .compile("^([^ ]*) TTL:([^ ]*) TOS:([^ ]*) ID:([^ ]*) IpLen:([^ ]*) DgmLen:([^ ]*)$"); + .compile("^([^ ]*) [^$]*$"); + // .compile("^([^ ]*) TTL:([^ ]*) TOS:([^ ]*) ID:([^ ]*) IpLen:([^ ]*) DgmLen:([^ ]*)$"); + break; default: @@ -69,5 +71,14 @@ this.logData += (data[j] + ";"); } - + }else if(i ==1 ){ + this.logData += "0;0;0;parse error;"; + }else if(i == 2){ + this.logData += "Port Scan;3;"; + }else if(i == 3){ + this.logData += "01;01;00;00;00;error;error;"; + }else if(i == 4){ + this.logData += "0;"; + }else{ + this.logData = "*FatalError*"; } @@ -83,9 +94,9 @@ if (line == null) { break; - }else if(line.isEmpty()){ + } else if (line.isEmpty()) { fw.write(this.logData.toString() + "\n"); this.logData = ""; - count = 0; - }else if (count < 4) { + count = 0; + } else if (count < 4) { // System.out.println(line); snortParser(line, count + 1); @@ -100,7 +111,8 @@ } + // 需搞定icmp ping 的格式問題 public static void main(String[] args) throws ParseException, Exception { - String in = new String("/home/waue/Desktop/alert_m"); - String ou = new String("/tmp/alert_SnortBase"); + String in = new String("/home/waue/Desktop/alert_flex.txt"); + String ou = new String("/home/waue/Desktop/alert_flex_parsed.txt"); SnortParser a = new SnortParser(in, ou); a.parseToLine();