#!/bin/bash
############
#Usage: ./tcomppcaphttplog pcap_file http.log output_file
#Comparison of a pcap file and Suricata's http.log file.
#Parses a pcap file, takes out only the http GET requests and compares them to the http GET requests in Suricata's http.log
#For succesful test/comparison please generate your pcap file in a standart wireshark/tcpdump libpcap
#Author: Peter Manev
#Any bugs please let me know - petermanev][at][gmail[[dot]]com 
#Use as you please and please as you use.
############



file1=$1
file2=$2
file_out=$3
ARGS=2         # Script requires 3 arguments.
E_BADARGS=85   # Wrong number of arguments passed to script.
echo -e "\n Supplied files are:  $file1     $file2     $file_out\n";


  if [ $# -le "$ARGS" ];
    then
      echo -e "\n USAGE: `basename $0` \"pcap_file\" \"http.log_file\" \"output_file\"  - they should be in the same/current directory.\n Example:\n ./comppcaphttplog pcap_file http.log result "
      echo -e "\n There is no need to create output_file."
      exit $E_BADARGS
  fi

  if [ ! -f $file1 ] || [ ! -f $file2 ]; 
    then 
    echo -e "File  $file1  or  $file2  DOESN'T exist!!\n"
    exit 1
  fi

  if [ ! -f $file_out ];
    then
      echo -e "\n File \" $file_out \"  doesn't exist.....creating output file \" $file_out \" "
      touch "$file_out";
	if [ $? == 0 ]; then
	  echo " successful! ...continuing.!"
	  else
	  echo -e "\nError creating  \" $file_out \" Please check permissions!";
	  exit 1
	fi
      echo -e "\n Some patience now please....\n";
      
    else 
      echo -e " File \" $file_out \" exists. It will be OVERWRITTEN. "
      echo -e "\n Some patience now please.... \n";
     `rm "$file_out"`;
      `touch "$file_out"`;
  fi

  if [ -f httpget"$file1" ];
    then
      `rm httpget"$file1"`;
  fi

 `which tshark >/dev/null`
  if [ $? != 0 ]; then
	   echo " Tshark is NOT insatlled. Please remedy that!"
	   exit 1
  fi

`tshark -r "$file1" -t ad   -T fields -E separator='>' -e frame.time  -e ip.src -e tcp.srcport  -e ip.dst  -e tcp.dstport  -e http.request.uri -R 'http.request.method == "GET" && tcp.port == 80 ' > httpget$file1 `
echo -e "\nDone parsing $file1 into httpget$file1 !";
if [ -f unmatchedhttpget"$file1" ]; then `rm unmatchedhttpget"$file1"`; fi
if [ -f unmatched"$file2" ]; then `rm unmatched"$file2"`; fi
`cp httpget"$file1" unmatchedhttpget"$file1"`;
`cp "$file2" unmatched"$file2"`;
echo -e "\nStarting the comparison:"
function tcomppcaphttplog
{


  for (( x=1; x<=`wc -l unmatchedhttpget$file1 | awk ' { print $1 } '`; x++ ))
    do 
	
      time="` awk 'FNR == '$x'' unmatchedhttpget$file1 | awk -F ">" ' { print $1 } ' `";
      src_ip="` awk 'FNR == '$x'' unmatchedhttpget$file1 | awk -F ">" ' { print $2 } ' `";
      src_port="` awk 'FNR == '$x'' unmatchedhttpget$file1 | awk -F ">" ' { print $3 } ' `";
      dst_ip="` awk 'FNR == '$x'' unmatchedhttpget$file1 | awk -F ">" ' { print $4 } ' `";
      dst_port="` awk 'FNR == '$x'' unmatchedhttpget$file1 | awk -F ">" ' { print $5 } ' `";
      http_get="` awk 'FNR == '$x'' unmatchedhttpget$file1 | awk -F ">" ' { print $6 } ' `";
  

    for (( y=1; y<=`wc -l unmatched$file2 | awk ' { print $1 } '`; y++ ))
	do 

	  http_get2="`awk 'FNR == '$y'' unmatched$file2 |awk  '{print $4}' `";
	    if [ "$http_get" == "$http_get2"  ]; then 
      
	      match="` awk 'FNR == '$y'' unmatched$file2  |egrep   ".*$src_ip\:$src_port[[:space:]]\->[[:space:]]$dst_ip\:$dst_port" `";

		if [ $? == 0 ]; then 
		 
		  	match2=" ` awk 'FNR == '$y'' unmatched$file2 ` ";
			match1=" ` awk 'FNR == '$x'' unmatchedhttpget$file1 ` ";
			echo -e "######################################################################" >> $file_out;
			echo -e "HTTP Request URI in httpget$file1 :" >> $file_out;
			echo -e "$match1\n" >> $file_out;
			echo -e "I S     E  Q  U  A  L     T O \n " >> $file_out;
			echo -e "HTTP Request URI in $file2 :" >> $file_out;
			echo -e "$match2" >> $file_out;

			`sed -i "$x"d unmatchedhttpget$file1` ;
			`sed -i "$y"d unmatched$file2`;
 			 let x=$x-1;
			 let y=$y-1;
			
			echo -n "*";
			continue 2 ;
	    

		fi

	    fi

	done


    done
echo -e "\n httpget$file1 has `wc -l unmatchedhttpget$file1 | awk ' { print $1 } '` HTTP_GET Requests that were NOT macthed in  $file2."
echo " They are saved in unmathcedhttpget$file1";
echo -e "\n $file2 has `wc -l unmatched$file2 | awk ' { print $1 } '` HTTP_GET Requests that were NOT macthed in httpget$file1."
echo " They are saved in unmathced$file2";
echo -e "\n D O N E ! Please see file $file_out for the HTTP_GET Requests that were matched!";
}

tcomppcaphttplog
exit 0