snort query for # events by IP/Day

1. #!/usr/bin/python
2.  
3. import MySQLdb
4. import argparse
5. import getpass
6.  
7. def parse_args():
8.     parser = argparse.ArgumentParser()
9.     parser.add_argument("days", help="number of days for which to execute the query")
10.     return parser.parse_args()
11.  
12. def main():
13.     args = parse_args()
14.     db_pass = getpass.getpass("mysql password:")
15.     db = MySQLdb.connect(host="localhost",  # your host
16.                  user="snort",       # username
17.                  passwd=db_pass,     # password
18.                  db="snort")   # name of the database
19.     cur = db.cursor()
20.  
21.     sql = "SELECT DATE_FORMAT(timestamp, '%%Y-%%m-%%d') AS date, COUNT(event.cid), " \
22.             "sig_priority, inet_ntoa(ip_src), inet_ntoa(ip_dst), sig_name "\
23.             "FROM event "\
24.             "INNER JOIN signature on event.signature = signature.sig_id "\
25.             "INNER JOIN iphdr on event.sid = iphdr.sid AND event.cid = iphdr.cid "\
26.             "WHERE timestamp > DATE_SUB(NOW(), INTERVAL %s day) " \
27.             "GROUP BY date, sig_name, sig_priority, inet_ntoa(ip_src), inet_ntoa(ip_dst) "\
28.             "ORDER BY date, COUNT(event.cid) ASC" %(args.days)
29.             # "DATE_FORMAT(timestamp, '%Y-%m-%d') AS date, DATE_FORMAT(timestamp, '%H:%i') AS time, "\
30.     cur.execute(sql)
31.  
32.     for row in cur.fetchall() :
33.         print "%s\t%d\t%d\t%s\t%s\t\t%s" %(row)
34.        
35. if __name__ == "__main__":
36.     main()