Date: Sun, 30 Jul 1995 20:17:51 +0100 From: Gary Palmer <gary@palmer.demon.co.uk> To: security@freebsd.org Subject: Firewall report generator Message-ID: <1480.807131871@palmer.demon.co.uk>
next in thread | raw e-mail | index | archive | help
Hi
Due to getting quite a few requests and the relatively small size of
the program (despite the 1.5k copyright message :-( ), I've decided to
post this here for all to see :-)
This relies on perl4 - I dunno what'll happen if you feed this to
perl5, and I don't particularly want to try, so I've specified that it
must be run by /usr/bin/perl, which under FreeBSD should be perl4.
Just after the BSD-style copyright, there are a few variables you can
tweek, and a breif explanation of what they do. They are supplied set
to something vaguely resembling global defaults.
If you find this useful, all donations of cash or hardware (or pizza
at a push) are gratefully received :-)
Gary
-- SNIP --
#!/usr/bin/perl
# $Id$
#
# Copyright (c) 1995
# Gary J. Palmer. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer,
# verbatim and that no modifications are made prior to this
# point in the file.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# 3. All advertising materials mentioning features or use of this software
# must display the following acknowledgement:
# This product includes software developed by Gary J. Palmer
# for the FreeBSD Project.
# 4. The name of Gary J. Palmer or the FreeBSD Project may not be used
# to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY GARY J PALMER ``AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
# IN NO EVENT SHALL GARY J PALMER BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
# OF USE, DATA, LIFE OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
# TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Where the kernel messages are recorded by syslog
$LOGFILE="/var/log/messages";
# How to read the log (e.g. if it has been compressed)
# if it has been compressed, use something like:
# $READLOG="/usr/bin/zcat $LOGFILE |"
$READLOG="$LOGFILE";
# A scratch file for recording the output before mailing it off
# You may want to move it to somewhere with a lot of disk space if you
# have a lot of data for the report
$REPORT="/var/tmp/.report";
# Who to e-mail the report to
$MAILTO="root";
# Who the e-mail should look like it's come from
# NB - This may not work right, depending on what userid runs this script
# and how your sendmail.cf is setup
$MAILFROM="root";
# The mailer to feed the e-mail to - sendmail by default
$MAILER="/usr/sbin/sendmail"
# The regex pattern used for matching logfile entries (jeeze - this is
# nasty :-( )
$PATTERN="([^\/]+)\/([a-zA-Z_0-9]+): Deny ([A-Z0-9a-z]+) ([0-9\.]+):([0-9]+) ([0-9\.]+):([0-9]+)";
###############################################################################
# In theory, you shouldn't have to touch below here #
###############################################################################
open(FILE, "$READLOG");
open(OUTFILE, "> $REPORT");
print OUTFILE "From: $MAILFROM\n";
print OUTFILE "Reply-To: $MAILFROM\n";
print OUTFILE "To: $MAILTO\n";
print OUTFILE "Subject: Firewall Packets Denied Report\n";
print OUTFILE "\n";
while (<FILE>) {
if (m/$PATTERN/i) {
($date, $kernel, $proto, $fromaddr, $fromport, $toaddr, $toport) =
($1, $2, $3, $4, $5, $6, $7);
$a = $proto;
$a =~ tr/A-Z/a-z/;
$fromhost = gethostbyaddr(&inet_aton($fromaddr), 2);
($fromportn) = getservbyport(&htons($fromport), $a);
$tohost = gethostbyaddr(&inet_aton($toaddr), 2);
($toportn) = getservbyport(&htons($toport), $a);
print OUTFILE "$date$proto ";
print OUTFILE "$fromhost:" if $fromhost ne "";
print OUTFILE "$fromaddr:" if $fromhost eq "";
print OUTFILE "$fromportn " if $fromportn ne "";
print OUTFILE "$fromport " if $fromportn eq "";
print OUTFILE "$tohost:" if $tohost ne "";
print OUTFILE "$toaddr:" if $tohost eq "";
print OUTFILE "$toportn\n" if $toportn ne "";
print OUTFILE "$toport\n" if $toportn eq "";
}
}
close(OUTFILE);
`cat $REPORT | $MAILER $MAILTO ; rm $REPORT`;
sub inet_aton {
local($addr) = @_;
local($in_addr, $foo);
$_=$addr;
$foo = /([0-9]+).([0-9]+).([0-9]+).([0-9]+)/i;
$in_addr = pack('C4', $1, $2, $3, $4);
return $in_addr;
}
sub htons {
local($in) = @_;
local($out, $a, $b);
$out = unpack('S', pack('n', int($in)));
return $out;
}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1480.807131871>