In this document we give an introduction and overview of Topipa
Topipa is a Perl script for processing Ourmon mon.lite files to recognize highly active IP addresses in terms of flow, worm and scan behavior. Results are indexed by IP address and reported in order of a weighted score.
Topipa reads one or more mon.lite files processing entries relevant to flows, metrics and scans. Entries are stored in an associative array keyed on IP address. Flows consist of topn_ip, topn_tcp, topn_udp and topn_icmp. Metrics include top_syn list, icmp error and udp error. Scans include of ip_scan, ip_portscan, tcp_portscan and udp_portscan.
Every time an address is observed the count is incremented for the observed entry. After all mon.lite and tcpworm files are read, a sum for flows, scans, metrics and worm are calculated. A weighted score is determined by the formula 'A * flows + B * metrics + C * scans + D * worm'. Defaults weights are 1, 1, 1, 1. Output is sorted on the score from highest to lowest. The top page gives a prioritized lists of hosts with links to host pages.Host pages give detailed results of activity with mean, median, and standard deviation of measurements and flow samples.
Each column corresponds to the number of times a host was observed in a line item from mon.lite or tcwpworm.txt. Individual columns are grouped by metric, flow scan or tcpworm. A score is calculated by assigning a weight to each category and calculating the sum of weighted values. The technical description of Ourmon includes details of columns derived from mon.lite and tcpworm files..
The host page expands information gathered to determine an overall score on the top page. Each column has a section in the host page giving a total of the measurements recorded for the entire time interval, mean, median, variance, maximum, minimum, start and stop time. In the case of flows and tcpworm, a sample of up to five occurrences is included.
Usage: ./topipa.pl -n num -s "A,B,C" -d directory -f "mon.lite_file0 ... mon.lite_fileN"
| -h | displays usage |
| -help | displays usage |
| -o | set output file (default topipa.html) |
| -n num | displays num lines |
| -s A,B,C,D | weights for scoring algorithm where |
| A flows, B metrics, C scans, D worms | |
| -d directory | directory of mon.lite files |
| -f file1 file2 ... fileN | list of files to read |
| -dw directory | directory of tcpworm files |
| -fw file1 file2 ... fileN | list of tcpworm files to read |
| -report | produce HTML host output |
| -do directory path | host HTML output directory |
| -wp relative directory path | host HTML URL path |
| -debug | produce debugging columns |
For example, to read mon.lite files from /path/to/directory/of/mon.lite and tcpworm files in /path/to/directory/of/tcpworm and process with a wighted score multiplying flows by 10, metrics by 8, scans by 6 and tcpworm by 4 with a relative web path of topipa outputting host files in /var/www/html/topipa
./topipa.pl -s "10,8,6,4" -d /path/to/directory/of/mon.lite -dw /path to directory/of/tcpworm -do /var/www/html/topipa -dw topipa --reportTuples are modified by changing the associated fieldheader associative array entry.