Juneau LUG
The Juneau Linux Users Group
This script parses log entries created by
an iptables firewall. You will be able
to
modify it for other formats though
by modifying
the awk entries.
(This is all one line):
May 14 21:07:01 firewall kernel: Dropwall:IN=eth1 OUT= MAC=09:19:29:39:49:59:69:79:89:99:09:19:29:39 SRC=61.189.236.10 DST=24.237.22.218 LEN=78 TOS=0x00 PREC=0x00 TTL=110 ID=50924 PROTO=UDP SPT=1026 DPT=137 LEN=58
By default, awk seperates fields in a line with whitespace. So we're interested in fields 9 (SRC=61.189.236.10), 18 (DPT=137) and occasionally 19, as from time to time an extra whitespace will sneak into the log entry. In these cases, the source port ends up at field 18, and the destination port ends up at 19. Your mileage may vary.
NOTE: This is quick & dirty. Yes, I know that there are more efficient ways of doing this that don't require THREE separate text files. However I tend to brute force my way through stuff like this, and quit when I get the results I want. Efficiency is left as an exersize for the reader.
-James
# James Zuelow May 2003
#!/bin/sh
emailaddress="you@your.domain"
echo " " > /tmp/fw3.log
echo " Top attacked ports: " >>
/tmp/fw3.log
cat /var/log/messages | grep "DPT="
| awk '{ print $18" "$19 }' >
/tmp/fw.log
cat /tmp/port.log | grep "^D.*"
| awk '{ print $1 }' > /tmp/fw2.log
cat /tmp/port.log | grep "^S.*"
| awk '{ print $2 }' >> /tmp/fw2.log
cat /tmp/port2.log | sort | uniq -c | sort
-nr | head >> /tmp/fw3.log
cat /var/log/messages | grep "DPT="
| awk '{ print $9 }' > /tmp/fw.log
echo "" >> /tmp/fw3.log
echo " Top attackers: " >>
/tmp/fw3.log
cat /tmp/fw.log | sort | uniq -c | sort -nr
| head >> /tmp/fw3.log
mail -s "Firewall highlights" $emailaddress
< /tmp/fw3.log
rm /tmp/fw.log
rm /tmp/fw2.log
rm /tmp/fw3.log