From owner-freebsd-security Sun Jul 30 12:22:25 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id MAA20420 for security-outgoing; Sun, 30 Jul 1995 12:22:25 -0700 Received: from palmer.demon.co.uk (palmer.demon.co.uk [158.152.50.150]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id MAA20395 for ; Sun, 30 Jul 1995 12:21:16 -0700 Received: from localhost (localhost [127.0.0.1]) by palmer.demon.co.uk (8.6.11/8.6.11) with SMTP id UAA01482 for ; Sun, 30 Jul 1995 20:17:52 +0100 To: security@freebsd.org Subject: Firewall report generator Date: Sun, 30 Jul 1995 20:17:51 +0100 Message-ID: <1480.807131871@palmer.demon.co.uk> From: Gary Palmer Sender: security-owner@freebsd.org Precedence: bulk Hi Due to getting quite a few requests and the relatively small size of the program (despite the 1.5k copyright message :-( ), I've decided to post this here for all to see :-) This relies on perl4 - I dunno what'll happen if you feed this to perl5, and I don't particularly want to try, so I've specified that it must be run by /usr/bin/perl, which under FreeBSD should be perl4. Just after the BSD-style copyright, there are a few variables you can tweek, and a breif explanation of what they do. They are supplied set to something vaguely resembling global defaults. If you find this useful, all donations of cash or hardware (or pizza at a push) are gratefully received :-) Gary -- SNIP -- #!/usr/bin/perl # $Id$ # # Copyright (c) 1995 # Gary J. Palmer. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer, # verbatim and that no modifications are made prior to this # point in the file. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # 3. All advertising materials mentioning features or use of this software # must display the following acknowledgement: # This product includes software developed by Gary J. Palmer # for the FreeBSD Project. # 4. The name of Gary J. Palmer or the FreeBSD Project may not be used # to endorse or promote products derived from this software # without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY GARY J PALMER ``AS IS'' AND ANY EXPRESS OR # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # IN NO EVENT SHALL GARY J PALMER BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS # OF USE, DATA, LIFE OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED # AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR # TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # Where the kernel messages are recorded by syslog $LOGFILE="/var/log/messages"; # How to read the log (e.g. if it has been compressed) # if it has been compressed, use something like: # $READLOG="/usr/bin/zcat $LOGFILE |" $READLOG="$LOGFILE"; # A scratch file for recording the output before mailing it off # You may want to move it to somewhere with a lot of disk space if you # have a lot of data for the report $REPORT="/var/tmp/.report"; # Who to e-mail the report to $MAILTO="root"; # Who the e-mail should look like it's come from # NB - This may not work right, depending on what userid runs this script # and how your sendmail.cf is setup $MAILFROM="root"; # The mailer to feed the e-mail to - sendmail by default $MAILER="/usr/sbin/sendmail" # The regex pattern used for matching logfile entries (jeeze - this is # nasty :-( ) $PATTERN="([^\/]+)\/([a-zA-Z_0-9]+): Deny ([A-Z0-9a-z]+) ([0-9\.]+):([0-9]+) ([0-9\.]+):([0-9]+)"; ############################################################################### # In theory, you shouldn't have to touch below here # ############################################################################### open(FILE, "$READLOG"); open(OUTFILE, "> $REPORT"); print OUTFILE "From: $MAILFROM\n"; print OUTFILE "Reply-To: $MAILFROM\n"; print OUTFILE "To: $MAILTO\n"; print OUTFILE "Subject: Firewall Packets Denied Report\n"; print OUTFILE "\n"; while () { if (m/$PATTERN/i) { ($date, $kernel, $proto, $fromaddr, $fromport, $toaddr, $toport) = ($1, $2, $3, $4, $5, $6, $7); $a = $proto; $a =~ tr/A-Z/a-z/; $fromhost = gethostbyaddr(&inet_aton($fromaddr), 2); ($fromportn) = getservbyport(&htons($fromport), $a); $tohost = gethostbyaddr(&inet_aton($toaddr), 2); ($toportn) = getservbyport(&htons($toport), $a); print OUTFILE "$date$proto "; print OUTFILE "$fromhost:" if $fromhost ne ""; print OUTFILE "$fromaddr:" if $fromhost eq ""; print OUTFILE "$fromportn " if $fromportn ne ""; print OUTFILE "$fromport " if $fromportn eq ""; print OUTFILE "$tohost:" if $tohost ne ""; print OUTFILE "$toaddr:" if $tohost eq ""; print OUTFILE "$toportn\n" if $toportn ne ""; print OUTFILE "$toport\n" if $toportn eq ""; } } close(OUTFILE); `cat $REPORT | $MAILER $MAILTO ; rm $REPORT`; sub inet_aton { local($addr) = @_; local($in_addr, $foo); $_=$addr; $foo = /([0-9]+).([0-9]+).([0-9]+).([0-9]+)/i; $in_addr = pack('C4', $1, $2, $3, $4); return $in_addr; } sub htons { local($in) = @_; local($out, $a, $b); $out = unpack('S', pack('n', int($in))); return $out; }