#! /bin/sh

if test "x$1" = x -o "x$2" = x
then
    echo "Usage:"
    echo "scan.sh <greyliteconf> <log>"
    echo "<greyliteconf>: ruleset for greylite's suspicion"
    echo "<log>: logfile or multilog directory"
    exit 1
fi

RULESNO=`cat "$1" | grep -v '^#' | wc -l | sed "s/ //g"`
if test -f "$2"
then
    # is regular file
    LOGS="$2"
elif test -d "$2"
then
    # is log directory
    LOGS=`ls "$2"/*.u "$2"/*.s "$2"/current 2>/dev/null`
else
    # invalid
    echo "Could not access $2"
    exit 2
fi
    
cd "$2"

CONNS=`cat $LOGS 2>/dev/null | grep ' pid ' | wc -l | sed "s/ //g"`
SUSP=`cat $LOGS 2>/dev/null | grep ' matched client ' | wc -l | sed "s/ //g"`

# summary
echo $RULESNO rules, $CONNS total connections, $SUSP found suspicious

# stats
printf "%12s %12s %12s %12s\n" "rule#" "matches" "%-of-conns" "%-of-matches"
for ((i=1;i<=RULESNO; i++))
do
    HITS=`cat $LOGS 2>/dev/null | grep " in line $i " | wc -l | sed "s/ //g"`
    HITSOVERCONNS=`echo "scale = 2 ; 100*$HITS/$CONNS" | bc`
    HITSOVERSUSP=`echo "scale = 2 ; 100*$HITS/$SUSP" | bc`
    printf "%12d %12d %12f %12f\n" $i $HITS  $HITSOVERCONNS     $HITSOVERSUSP
done

cd -