[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Tool to analyze firewall messages



On Sun, 20 Oct 2002, Franck MAHE wrote:

> David, Achim,
>
>
> > Around a month ago I posted a similar message to this list and got some
> > answers:
> > - Achim Hoffmann sent me a Perl-script for making a readable file out of
[ .. ]
> I'm interesting to get this script. Could U post it on this list or send it me by mail.

ok, I'll post my basic script.
Use it as is, or improve as you like (you need to adapt some variables first).
If somebody improves it in a valuable way (means may be usefull for others),
please send me changes.

<comment to other suggestion to this thread>

 > kernel.info in /etc/syslog.conf
 this redirect all kernel messages of facility info to the specified file,
 not only those of iptables

 > .. snort ..
 does not make any sense for the questioner purpose (filtering iptables
 messages)
</comment to other suggestion to this thread>

Script follows, Achim.
-------------------------------------------

#! /usr/bin/perl
#?
#? NAME
#?      $0      - extract and format log messages of iptables
#?
#? SYNOPSIS
#?      $0
#?
#? DESCRIPTION
#?      TBD
#?
#? AUTHOR
#?      12-dec-01 ah@xxxxxxxxxxxxx
#?
# -----------------------------------------------------------------------------

$SID = '@(#) extract_iptables_logs.pl 1.1 01/12/12 21:04:02';

$me = $0;
$me =~ s:.*[/\\]([^/\\]+):$1:;
if ("$ARGV[0]" eq '-h') {
    open(FID, $0) || warn "$0: WARNING: cannot read myself.\n";
    while(<FID>) {
        s/\$0/$me/g;
        /^#\?(.*)$/     && print "$1\n";
    }
    close(FID);
    exit( 0 );
}

use Data::Dumper;

$file   = '/var/log/messages';		# <-- change as you need
#$file  = '/var/log/yy';
$ident  = 'fw-scan:';			# <-- change as you need

print "Time     src-IP         :port  > dst-IP         :port proto ttl id    tos  prec len   -- payload\n";
print "--------+----------------------+----------------------+----+---+-----+----+----+-----+----------\n";

open( FID, "<$file" ) or die "*** $me cannot open '$file': $!";
while( <FID> ) {
        next if ! m/$ident/;
        $line = $_;
        &iphead_init();
        $s_len  = 13;                   # length to be spliced
        @fields = split( /\s+/, $line );
        $mon    = shift @fields;
        $day    = shift @fields;
        $time   = shift @fields;
        $host   = shift @fields;
        $dumm   = shift @fields;        # should be     kernel:
        $dumm   = shift @fields;        # should be     fw-scan:
        $s_len++ if grep( /DF/i, @fields ); # see TCP examples below
        @head   = splice( @fields, $s_len );# store IP header fields
                                        # @fields no contains payload
        foreach $f (@fields) {
                ($k,$v) = split( /=/, $f );
                #dbx print "iphead{$k} = $v\n";
                $iphead{$k} = $v;
        }
        #foreach $f (keys %iphead) { printf(" %5s: %s\n", $f, $iphead{$f}); }
        &p_iphead( $time, \%iphead, @head );
        #print;
}
close FID;
exit( 0 );

format IPHEAD_TOP =
Time   src-IP          :port  > dst-IP          :port  proto ttl id    tos  prec len
-------------------------------------------------------------------------------------
.
format =
# time    src-IP           port   > dst-IP           port   proto ttl  id     tos   prec  len
@<<<<<<<< @<<<<<<<<<<<<<<< @<<<<< > @<<<<<<<<<<<<<<< @<<<<< @<<<< @<<< @<<<<< @<<<< @<<<< @<<<<<
$time,    $p->{SRC}, $p->{SPT}, $p->{DST}, $p->{DPT},$p->{PROTO},$p->{TTL},$p->{
ID},$p->{TOS},$p->{PREC},$p->{LEN}
.

sub p_iphead {
        my ($t, $p, @f) = @_;
        #print Dumper($p);
        if ($p->{PROTO} eq 'TCP') {
            printf( "%8s %15s %-5s > %15s %-5s %4s %3s %5s %4s %4s %5s -- %s\n",
                $t, $p->{SRC}, $p->{SPT}, $p->{DST}, $p->{DPT},
                $p->{PROTO},$p->{TTL},$p->{ID},$p->{TOS},$p->{PREC},$p->{LEN},
                join( ' ', @f ) );
        }
        if ($p->{PROTO} eq 'ICMP') {
            printf( "%8s %15s T%-4s > %15s C%-4s %4s %3s %5s %4s %4s %5s -- %s\n",
                $t, $p->{SRC}, $p->{SPT}, $p->{DST}, $p->{DPT},
                $p->{PROTO},$p->{TTL},$p->{ID},$p->{TOS},$p->{PREC},$p->{LEN},
                join( ' ', @f ) );
        }
        #select IPHEAD;
        #write;
        #foreach $k (keys %{$p}) { printf(" %5s: %s\n", $k, $p->{$k} ); }
}

sub iphead_init {
    # not really neaded, but in case of ...
    @idx = ('CODE', 'DF', 'DPT', 'DST', 'ID', 'IN', 'LEN', 'MAC', 'OUT', 'PREC',
'PROTO', 'SPT', 'SRC', 'TOS', 'TTL', 'TYPE',);
    foreach $k (@idx) { $iphead{$k} = '.'; }
}

__END__

# TCP example
Dec 12 17:38:11 dent kernel: fw-scan: IN=eth0 OUT=eth1 SRC=212.43.239.134
DST=192.168.18.149 LEN=40 TOS=0x00 PREC=0x00 TTL=120 ID=5595 PROTO=TCP SPT=22
DPT=22 WINDOW=64858 RES=0x00 SYN URGP=0




-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here