#!/bin/sh
#
# Procedura alert_diff
# Calcola le differenze negli alert files di snort.
# Se eseguito da un cron job aiuta a verificare con regolarità i nuovi alert generati da un IDS.
# Creation date: 31/10/2005 OM/Sansec
# Modification record:
#
ROOTD=/usr/local/etc
TMPDIR=/tmp
#rm -f $TMPDITR/alert.diff.*
if [ -f $TMPDIR/alert.diff.* ]; then
        rm -f  $TMPDIR/alert.diff.*
fi
if [ -f $TMPDIR/alert.yest ]; then
        touch  $TMPDIR/alert.yest
fi
#
grep -v spp /var/log/snort/alert |cut -d \] -f 3| cut -d \[ -f1|sort |uniq -c |sort -rn |awk   'NF>0 {  print $1, "|", $2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15}'  > $TMPDIR/alert.today

echo -e "Ieri  Oggi  \tDifferenza  Log" > $TMPDIR/alert.diff.$$
while read var 
do
        if  [ "$var" != "" ]; then
                num_tod=`echo $var|cut -d \| -f1`
                name_tod=`echo $var|cut -d \| -f2`
                exist=0
                while read var2
                do
                        name_yest=`echo $var2|cut -d \| -f2`
                        if  [ "$name_yest" == "$name_tod" ]; then
                                num_yest=`echo $var2|cut -d \| -f1`
                                echo -e "$num_yest  $num_tod \t"+"$((num_tod - num_yest)) \t$name_tod"  >>$TMPDIR/alert.diff.$$
                                exist=1
                        fi
                done < $TMPDIR/alert.yest
                if  [ "$exist" != "1" ]; then
                                echo -e ""0 "  $num_tod \t"+"$num_tod \t$name_tod" >> $TMPDIR/alert.diff.$$
                                echo -e ""0 "  $num_tod \t"+"$num_tod \t$name_tod"
                fi
        fi
done < $TMPDIR/alert.today
mv $TMPDIR/alert.today  $TMPDIR/alert.yest
mail -s "ALERT FILE DIFF" root < $TMPDIR/alert.diff.$$